DNS capture is not correct when using CNI. It's capturing packets which the destination is the server found in /etc/resolv.conf. Since with CNI the iptables binary runs on the node, it's getting the contents of resolv.conf from the node, not from the container. Upstream fixed this in https://github.com/istio/istio/issues/29511 which we need to backport in some way.