Oh boy – I was not ready for a hit like that. But let me start with the whole picture, shall we?
I do run a central syslog using graylog and I tend to ship my logs to that device for easier searching and poking around in those. No big deal until I looked at my DNS traffic which was stupidly high. To be exact, more than 3000 DNS requests in less than 10 minutes. Turns out it was the log server being addressed using a dns name instead of its IP address which lead to that problem of my Access Points resolving their log target on every line.
I would have hoped for them to have at least some caching or anything like that implemented – but that wasn’t the case. Lesson learned: Use the IP for syslog servers.