How would you design a system to detect DNS tunneling or data exfiltration attempts in real-time traffic?