Which pattern in a DNS capture is a sign of potential DNS tunneling?

In DNS tunneling, data is carried through DNS queries by encoding payload into the domain names being asked. Attackers put chunks of information into the subdomain labels and send a flurry of queries to a domain they control. Because of this encoding, you’ll often see many DNS queries with unusually long, high-entropy domain names, far beyond what normal DNS traffic would look like. That combination—high query volume plus long, strange-looking domain names—is a strong indicator that DNS is being used as a covert channel for data exfiltration. The other patterns don’t fit the same scenario. Frequent TXT responses would point to the type of DNS responses rather than how data is being carried, and tunneling typically focuses on the structure of the queries themselves rather than the response content. A high volume of TLS handshakes relates to encrypted web traffic rather than DNS, and HTTP 404 responses are web-server errors unrelated to DNS tunneling.