Several DNS requests are sent even if dnsRefreshRate is set to a high value

According to Istio / Global Mesh Options , the dnsRefreshRate parameter defines how often envoy clusters (of type STRICT_DNS) are being resolved through DNS requests.

If I run a tcpdump on my dns server, I see a lot of traffic:

tcpdump -ni peth1 port 53 | grep
18:58:59.540100 IP > 23926+ [1au] A? (45)
18:58:59.540122 IP > Flags [P.], seq 2905:2952, ack 24375, win 501, options [nop,nop,TS val 3554228951 ecr 1983605167], length 47 40847+ [1au] A? (45)
18:58:59.540187 IP > Flags [P.], seq 735:782, ack 5296, win 501, options [nop,nop,TS val 3554228951 ecr 1983604806], length 47 57343+ [1au] A? (45)
18:58:59.540226 IP > 26016+ [1au] A? (45)
18:58:59.540226 IP > 23109+ [1au] A? (45)
18:58:59.540277 IP > Flags [P.], seq 172:219, ack 1096, win 501, options [nop,nop,TS val 2720788871 ecr 1071096917], length 47 32613+ [1au] A? (45)
18:58:59.540363 IP > 33688+ [1au] A? (45)
18:58:59.540564 IP > 15602+ [1au] A? (45)
18:58:59.540841 IP > Flags [P.], seq 1783:1830, ack 12746, win 501, options [nop,nop,TS val 3554228952 ecr 1983601338], length 47 54160+ [1au] A? (45)
18:58:59.540951 IP > 15062+ [1au] A? (45)

I see many blocks like this one (with even more dns packets), and I see them roughly every 30 seconds.
This happened with default dnsRefreshRate, but it also happens after setting this parameter to 60s or 600s.

Now, I would expect some DNS requests like these, because I setup a ServiceEntry for

kubectl get serviceentry -n istio-system facebook -o yaml
kind: ServiceEntry
  name: facebook
  namespace: istio-system
  location: MESH_EXTERNAL
  - name: tls-service
    number: 443
    protocol: TLS
  resolution: DNS

This is because to reach external domains from my cluster, I want all the traffic to be redirected to an egress gateway (so I have corresponding Gateway / VirtualService / DestinationRule resources, which I don’t think are so relevant in this case).
I also saw some recommendation that suggested to use STATIC resolution instad of DNS, but my goal would be to rely on DNS resolution so that I can avoid binding (or any other domain) to one or more IP addresses.

I’m wondering how I can debug this further: dnsRefreshRate seems to be an envoy configuration, so I tried to look at any pod’s istio sidecar logs, and I see entries like this:

2021-09-29T17:21:29.340766Z	debug	envoy upstream	DNS refresh rate reset for, refresh rate 30000 ms

I also see them for other domains that I configure just like, but the refresh rate seems to change (sometimes it’s 5000ms, sometimes it’s 1000ms).

What is going on here? Are all the pods with istio sidecar deployed trying to resolve every X seconds? Is this influenced by the dnsRefreshRate parameter? Is yes: why don’t I see any difference when I set different dnsRefreshRate values? If no: where is my understanding about this wrong?

Any suggestion would be appreciated, as I’m a bit blind in debugging this. Thank you.

We also set Cluster configuration — envoy 1.20.0-dev-38e7d2 documentation - May be the DNS TTL is set like that.

Thank you for your reply. But how do I configure that with Istio?