> I am going to write a script that detects DNS tunneling. BTW, if it's not on your radar you should check out our paper on doing this: http://www.icir.org/vern/papers/covert-dns-usec13.pdf In generally, finding tunneling is much more involved than looking for long lookups, for example. Vern