So funnily enough, we had an analyst do a deeper dive on this, and it appears that if the following command is run, it will make those DNS requests:
ipconfig.exe /displaydns
We did not realize that SysMon captured these as DNS events but it sort of makes sense. Can anyone confirm that the command above is properly triggering DNS requests?
We noticed our vulnerability scanner is what tripped this and before all of the DNS traffic, we saw the vulnerability scanner user running this command. Pretty interesting!