Back when I was using it similarly to the other poster (say, 15 years ago) that wasn't the case. It's still a great litmus test of security posture today.

Just using DNS for data exfiltration, in general, is usually pretty fruitful. I wrote a "live off the land" data exfil script for Windows once, using the certutil and nslookup commands to base64 encode data and ship it out to my off-site DNS server.

I'll have to try it against a Palo Alto NGFW sometime and see what alarms I trip. I honestly never thought to try.

That's make sense 15 years ago. Right now even the SOHO appliances have the DNS inspection feature.