A system to detect domain name server tunneling includes a processor and machine readable instructions stored on a tangible machine readable medium, which when executed by the processor, configure the processor to collect, during a predetermined time period, responses received from a domain name server to queries sent to the domain name server by a computing device, the responses including internet protocol (IP) addresses; collect IP addresses accessed by the computing device during the predetermined time period; compare the IP addresses received by the computing device in the responses from the domain name server to the IP addresses accessed by the computing device; and detect domain name server tunneling based on the comparison.