Follow
That's *very* long. Enable query request *and* response log and you can see straight away which ones take time to resolve (even visually), then you can get exact metrics using timestamps. Maybe a problem with DNSSEC resolution? It's requires way more requests than regular resolution, and then if your system clock is off the signatures will fail. Also make the cache as large as possible.