What we've done in similar situations is to use a watchlist in the alarm.
So say in this case you alerting on a source IP list that is looking up badsite.com.
First, create a static watchlist, something like "IPs for Bad DNS Lookups" where values expiry with an appropriate time. I'd say in your case anywhere from an hour to 24 hours is probably appropriate.
Now, in your alarm, since you're using a correlation rule for most of the logic, you'd just add another filter (with an AND clause) saying Signature ID In (your correlation rule) AND Source IP Not In "IPs for Bad DNS Lookups" and under Actions, add the Source IP to the watchlist.
This does a couple of things I really like. First, it stops the alarm from firing an absurd number of times for the same host, but will let you know all hosts that have it happening. However, the Correlation Rule will fire every time. That way, when you go to investigate, you can just quickly look at that correlation rule and filter by that host IP if you want, to see how much it has been happening since the alarm fired.