I created two Snort IDS rules to detect covert Iodine tunnels.  Frequently in corporate environment and WIFI hotspots, DNS is not blocked at the firewalls and is allowed to flow to the internet while other type of traffic is restricted. Iodine lets users take advantage of this fact and allow tunneling IPv4 traffic  over DNS queries.  These Snort rules were tested with Iodine version 0.4.2, I’m very interested in getting feedback on how the rules are working (or not for you) or how I could make them better. You can find the Iodine Snort rules at this location: http://www.securitywire.com/snort_rules/iodine.rules