InvisiMole would pad queries with collections of 'a' to reduce the entropy of the query.
Analasys will look at two and three letter pairings. E.G. 'ed' is often seen together. 'qx' not so much.
Malware will query an A record that will be the checksum of the next query that is the TXT record (data chunk).
PowerSource (Carbanak Group) TXT records contain Base64 encoded gzipped Powershell code. 44 queires, 250 chars each. 30 seconds to download.