This reminds me of the old tools that tunnel more or less whatever over DNS. I.e. behind the scenes, the tool would look up "base64encodedpacket.domainyoucontrol.example.com", and it would respond with encoded data going the other way. This is because captive portal WiFi often permitted DNS to pass through unimpeded, for various reasons.

I always appreciated the hack, even though I could never bring myself to use it due to the obvious cache pollution problem on the various DNS servers.