What is calling a recurring command

How can I figure out what is calling a recurring command?

I first noticed that an unusual network request was flooding my pihole logs. Then checking wireshark and tcpdump I could see it there too. It is happening about every 5 seconds or so, but not consistently. I would like to know what is making this network call? It is on an Arch Linux box. I’ve managed to find out the program name (dig) by running watch 'sudo netstat -utenp | grep | grep -v "-", but the PID changes every time. So how can I figure out what is calling dig so much if the PID keeps changing? I have also checked cron, it’s nothing in there. I’ve also checked all of my systemd timers and other running services. I don’t see anything suspicious, but maybe I missed something. Any ideas where else I might check?