[k4ch0w]

Packet size is a really good detection for this. DNS packets should only be so big ;)

[richthegeek]

So I split my packets up into smaller chunks. Now you need to rate limit DNS. But you still need to allow regular DNS traffic somehow, or you break the internet.

[k4ch0w]

Well, allowlist to a known DNS server and block anything on DNS that isn't allowlisted.

[ignoramous]

The exfiltrated data isn't for DNS resolvers but is leaked to Nameservers through them.

A similar technique forms the basis of how services like dnsleaktest.com and which.nameserve.rs identify DNS resolvers in-use by a particular client.

[LinuxBender]

And packet rate. Some corporate firewalls may detect this as abusive and block it leading to questions from the security operations team and the person testing this out.