For people who still believe that a firewall could control traffic from inside to outside and back. IP over DNS is not just a pipe dream, but a valid concept with working example code. This way — provided you control a nameserver somewhere outside (which is nowadays possible for anyone with a cheap root server and a domain registration) — you can get through every firewall, as long as name resolution is allowed in the local network — even if the computer in question otherwise has no access to the outside (i.e. can neither send/receive mail nor surf the web — because if it can do that, it already has a trivial channel to the outside).
A good reason why you should implement nameservers on the firewall so that only internal hosts are resolved towards the inside, and resolution of external hosts should only be done on the proxy server. Or why in some areas you might simply need to cut the cable to the outside for security reasons.