It's a fun little program, but calling it stealthy is a reach. It seems to just extract a bytestream from the subdomain of the domain requested. Very easy to detect, very easy to see, and not much data can be xfered.
It's equally as "stealthy" as just sending requests to a domain you own and logging every request. e.g. mysite.com/<bytes>
I think it is stealthy since the data is not sent directly from the victim PC to the server, but rather the DNS server relays the file as a normal part of DNS recursion.
Since it looks like a normal DNS request, it is much harder to filter than sending out packets on monitored and easily proxied ports like 80 and 443.
I certainly wouldn't want to try and whitelist every DNS entry on the whole Internet...
I don't think it is possible to use recursion for this. At least not reliably, as its quite likely you will hit a cached record. Which means the file would not have been transferred completely to your authoritative server... (using some kind of counter could help though)
Simple enough to ensure each transfer uses both a unique transfer id and then a simple packet sequence number counter. This would ensure every request is unique.
I think your use of dots speaks for itself there ;). I know of several companies that log DNS, and it wouldn't pass inspection by a human operator which also has to be considered for something to be stealthy.
Lots of big enterprise shops monitor DNS too. OpenDNS (now Cisco) sells this as a service, lots of other security companies have tried to play catch up with various solutions.
It's equally as "stealthy" as just sending requests to a domain you own and logging every request. e.g. mysite.com/<bytes>