Various embodiments of the invention disclosed herein provide techniques for managing a domain name system (DNS) based attack. An exfiltration and tunneling mitigation platform receives a first DNS request directed to a first domain name. The exfiltration and tunneling mitigation platform determines that a first characteristic associated with a first fully qualified domain name (FQDN) included in the first DNS request exceeds a first threshold value. In response, the exfiltration and tunneling mitigation platform computes a distance between the first FQDN and a second FQDN included in a second DNS request also directed to the first domain name. The exfiltration and tunneling mitigation platform increments a first count value associated with the first domain name based on the distance. At least one advantage of the disclosed techniques is that a DNS-based attack can be detected and mitigated before a significant amount of DNS exfiltration or DNS tunneling has occurred.