This is, as Ricky Beam indicates, almost certainly TCP segmentation being done by the NIC. If you're capturing traffic on the server, capturing packets being sent by the server, and TCP segmentation offloading is being done, the server's operating system will hand packets bigger than the network's MTU to the NIC (with the expectation that the NIC will turn them into multiple IP packets) and to the packet capture mechanism and thus to the packet capture program, so it will appear as if a packet bigger than the network's MTU is being transmitted on that network - for example, Ethernet packets larger than 1514 bytes.
The answer is simple: whenever the host pleases. Really. It's that simple.
The explanation below assumes an IPv4-only environment, since IPv6 does away with fragmentation in the routers (forcing the host to always deal with fragmentation and MTU discovery).
There is no strict rule that governs when (or even if) a host does Path MTU Discovery. The reason that PMTUD surfaced is that fragmentation is considered harmful for various reasons. To avoid packet fragmentation, the concept of PMTUD was brought to life as a workaround. Of course, a nice operating system should use PMTUD to minimize fragmentation.
So, naturally, the exact semantics of when PMTUD is used depend on the sender's operating system - in particular, the socket implementation. I can only speak for the specific case of Linux, but other UNIX variants are probably not very different.
In Linux, PMTUD is controlled by the IP_MTU_DISCOVER socket option. You can retrieve its current status with getsockopt(2) by specifying the level IPPROTO_IP and the IP_MTU_DISCOVER option. This option is valid for SOCK_STREAM sockets only (a SOCK_STREAM socket is a two-way, connection-oriented, reliable socket; in practice it's a TCP socket, although other protocols are possible), and when set, Linux will perform PMTUD exactly as defined in RFC 1191.
Note that in practice, PMTUD is a continuous process; packets are sent with the DF bit set - including the 3-way handshake packets - you can think of it as a connection property (although an implementation may be willing to accept a certain degree of fragmentation at some point and stop sending packets with the DF bit set). Thus, PMTUD is just a consequence of the fact that everything on that connection is being sent with DF.
What if you don't set IP_MTU_DISCOVER?
There's a default value. By default, IP_MTU_DISCOVER is enabled on SOCK_STREAM sockets. This can be read or changed by reading /proc/sys/net/ipv4/ip_no_pmtu_disc. A zero value means that IP_MTU_DISCOVER is enabled by default in new sockets; a non-zero means the opposite.
What about connectionless sockets?
This is tricky because connectionless, unreliable sockets do not retransmit lost segments. It becomes the user's responsibility to packetize the data in MTU-sized chunks. Also, the user is expected to make the necessary retransmits in case of a Message too big error. So, essentially user code must reimplement PMTUD. Nevertheless, if you're up for the challenge, you can force the DF bit by passing the IP_PMTUDISC_DO flag to setsockopt(2).
The bottomline
- The host decides when (and if) to use PMTUD
- When it uses PMTUD, it's like a connection attribute, it happens continuously (but at any point the implementation is free to stop doing so)
- Different operating systems use different approaches, but usually, reliable, connection-oriented sockets perform PMTUD by default, whereas unreliable, connectionless sockets don't
Best Answer
So to be frank, I had no idea this was a thing or why - but a bit of Google-fu was able to provide an answer. Please do some more research in the future.
Stole part of a response from ServerFault: https://serverfault.com/questions/587625/why-dns-through-udp-has-a-512-bytes-limit
As DNS is usually UDP, (with the exception of things like zone transfers, or DNSSEC which are TCP) as such, delivery is not ensured. The above statement in the RFC guarantees the host will be able to handle the response size. This appropriately, corresponds to the smallest possible MTU of 576 bytes.