Istio-proxy: dns-over-tcp

What are the conditions under which istio-proxy/envoy can make DNS requests over TCP?
These reasons don’t include the possibility of having a truncated flag in the DNS response.

Istio Version: 1.11.3
What are we seeing?
Envoy is making DNS calls over TCP at regular invertals. These calls include calls for the tracing backend(jaeger-collector) as well as “ExteralService” Service pointing to another domain.
If we make DNS calls from the pod using nslookup/curl/dig, they are UDP by default. Other applications in the same pod are making UDP based DNS calls.

What happened?
This started happening after we deleted aws-auth configmap in our EKS clusters. Even after our cluster recovered, we are still facing the same issue.