We've discovered that dns_to_ipset (using python3 dns.resolver) gets different answers from recdns.anycast.wmnet for TCP queries vs UDP queries. It looks like at least some services are probably using UDP, because we're running into situations where a service will try to hit a pool of IPs that don't correlate to what has been poked into ipset, for extended periods of time, with dns_to_ipset using TCP.
I think we can work around this by making dns_to_ipset do its DNS polling both by UDP and TCP and merge the results.