By default, Active Directory clients will update their own records using secure dynamic DNS updates. Once they are joined to the domain, they should immediately and automatically create this record in your ADI DNS zones.
It has nothing to do with DHCP in a default configuration. You can use DHCP proxy updates, but this is not recommended in most deployments and needs extra configuration. If you were using this configuration, you'd know it.
See this article for more info: http://technet.microsoft.com/en-us/library/cc771255.aspx
If a forwarder is configured, dnsmasq will forward all DNS queries that it has no explicit data for. This includes records for configured static DHCP clients that have no active lease, AAAA records unless IPv6 addresses are defined explicitly, and more.
There are several ways to avoid this:
Don't configure a forwarder
Simply omit the fowarder entries in the network definition. Probably not desirable, unless the virtual network is really isolated. This is the only possibility that libvirt currently supports (12/2014), AFAIK.
local domain in dnsmasq.conf
Configure the domain as "local" in dnsmasq:
domain=local.net,192.168.10.0/24
local=/local.net/
local=/10.168.192.in-addr.arpa/
In theory, this could be abbreviated as domain=local.net,192.168.10.0/24,local, but a dnsmasq bug fixed only recently causes this to fail.
libvirt doesn't support this. In order to use this configuration, you need to set up the bridge manually in your OS and configure the libvirt network like this:
<network>
<name>local</name>
<forward mode='bridge'/>
<bridge name='br0'/>
</network>
You don't have to create a libvirt virtual network at all in this configuration, just use <interface 'type=bridge'> in your VM definition files.
auth zone in dnsmasq.conf
The auth-zone parameter has a similar effect to local. However it has other implications that I don't claim to fully understand. I suppose this configuration would be desirable if names in the virtual network are supposed to be resolved from the outside.
domain=local.net
auth-zone=local.net
This setup isn't supported by libvirt either, so the same procedure for setting up the bridge must be applied as above.
Best Answer
You can disable DNS for a network with
<dns enable="no"/>in the network XML. See the documentation.