The DNS query traffic in a campus top domain DNS server were statistically investigated in order to find out the security incidents, especially bot worm (BW)-infected PCs on the campus network. The interesting results are obtained: (1) The total traffic of the DNS query access from the outside of the campus network frequently correlates with that of the number of their unique source IP addresses. (2) The unique source IP address-based entropy (randomness) also frequently correlates well with the query contents-based one. Therefore, these results indicate that we can detect suspicious IP hosts, especially, spam bots in the campus network by only watching DNS query traffic from the outside of the university.