[userbinator]

Also, so that unauthenticated users can't use DNS as a tunnel method, which is pretty damned cool, but insecure.

You can put TLS into a DNS tunnel too, it's just even slower.

[icebraining]

I've done TCP-over-SSH-over-DNS many times (using iodine and sshuttle) and it was actually surprisingly usable! I could get over 200Kbps downstream. Iodine uses NULL requests -if allowed by the recursive DNS server- which can fit 1KB+ per request/reply.