Abstract: To propose an effective detection method for DNS-based covert channel, traffic characteristics are thoroughly studied. 12 features are extracted from DNS packets to distinguish covert channels from legitimate DNS queries. Statistical characteristics of these features are used as input of the machine learning classifier. Experimental results show that the decision tree model detects all 22 covert channels used in training, and is capable of detecting untrained covert channels. Several DNS tunnels were detected during the evaluation on campus network’s live DNS traffic.