DNS is a foundational application layer protocol used in networking and used, for example, to translate domain names (example.com) into numerical Internet Protocol (IP) addresses (101.1.1.101). DNS is generally not intended for general data transfer. However, several approaches have been developed for so called DNS tunneling, namely using DNS for general data communication. Disadvantageously, DNS traffic is monitored with less attention in terms of security monitoring. Thus, DNS tunneling has been seen as a technique to circumvent security measures. DNS tunneling was originally developed as a simple technique to bypass endpoints at the network edge, but it has evolved and is often used for nefarious purposes. DNS tunneling uses DNS queries and responses for communication by other programs or protocols to bypass firewall or network security. For DNS tunneling to work, the end DNS nameserver must be a modified name server than can extract and process data from DNS queries. Current techniques to detect DNS tunneling focus on analyzing individual DNS requests and responses. While these techniques can detect individual instances of DNS tunneling, these techniques do not provide insight into the overall pattern of the DNS tunnel traffic. Further, it is possible to avoid detection by carefully manipulating the actual requests and response contents.