The use of DNS tunneling and skirting logs makes my head spin. Even if justification of exfiltrating 10GB of sensitive data could be made, there's widely available means of doing so that aren't the methods of state-sponsored hackers and the like.
"DNS tunneling" (abnormal number of DNS requests) actually might be caused by a software that doesn't use DNS cache. I was once banned by 8.8.8.8 (Google's DNS server) for sending too many requests because youtube-dl was making a DNS request for each tiny segment of a video (and there were thousands of them).
Well, maybe one shouldn't be using Google DNS server when violating ToU to download Google's video.
But an abnormal number of DNS requests AND recorded outbound data totaling 10GB, with no other obvious indication of a less-subversive means of data transfer? I'd be very surprised if youtube-dl could come close to even 10MB of DNS requests at its chattiest