This is very cool; too bad I don't have a domain. I was thinking about how one would look for this kind of traffic on the network.
Looking for abnormally large dns packets, whether tcp or udp would probably work. You could build a custom sniffer to analyze the traffic and do packet size measurements, then log it with the corresponding ip addresses on the lan and you're in business.
You think any modern intrusion detection/prevention software looks for this sort of thing?
