Which statement best describes a DNS tunneling indicator?

DNS tunneling hides data inside the DNS query labels. The clearest signal is long or encoded subdomains, because an attacker—or a compromised host—often places payload data into the subdomain portion of a query to a domain they control. This creates unusually long, high-entropy, or seemingly random strings within the domain name, sometimes with encoded characters, which stands out against normal traffic patterns. Normal DNS traffic tends to use short, readable hostnames that reflect legitimate domain structures, not payload-laden labels. While DNS can use TCP for larger responses and even produce large replies in legitimate scenarios (for example, with EDNS0 or DNSSEC), those aspects aren’t reliable indicators of tunneling. The defining indicator is the presence of long or encoded subdomains carrying data.