If someone is doing that, you're in the realm of targeted attacks instead of scans, which is outside the scope of my original comment. It's similar to someone monitoring your traffic; as I already said, if that's the case you need more anyways.
Security is not choose your own buffet where you get to only think about scans but ignore other common attack vectors. Botnets are common enough that targeted attacks like I described are just as common as scans, so you always need more anyway.
Configuring your host to return 404 on invalid subdomains is just not a general solution, at best it just buys you some time until attackers find the subdomain, ie. kicking the can down the road, like I originally said.
No, I'm saying that's one of many behaviours. They mine domains and URLs scraped from email addresses, email headers and bodies, online content, and more. Your site is not "secure" when that security can be circumvented by someone pasting a URL into an email.
You can actually buy "Passive DNS" records. Big DNS providers collect all the answers they learned while serving, deliberately without recording who asked and the answers are aggregated and available for purchase.
So if Sarah in accounts once went to secret-webserver.internal.example.com from her laptop at home before turning on the VPN by mistake, her upstream DNS provider will tell any attackers with some $$$ that secret-webserver.internal.example.com existed, when it existed, what the A or AAAA records said and so on.
Targeted attacks will know about secret-webserver.internal.example.com even though only *.internal.example.com is listed in the CT logs.
How so?