In case anyone comes across this in the future, these lookups were being sourced by a threat intelligence appliance. Why it needs to know about dodgy URLs is clear. Why it tried to resolve them, is not. But at least I got my answer to "what system is originating these queries?".
... View more