We've seen a similar issue, found that the root cause was our Cisco Anyconnect clients and how split brain DNS is operating. It seems to be resolving hostnames it cannot contact over the VPN by appending ".co.uk" to them. If I try to ping "WPAD" on the VPN there is a delay while it tries to contact devices over the VPN, then when it fails resolves as "wpad.co.uk". Image shows a machine on the VPN vs off.
I can only assume something similar is happening with the DNS on your clients.