Detection and Alerting on DNS tunnels for C2

We are testing the DNS tunnel detection and I am unclear as to what I should be seeing in the way of alerts.

Scenario:
PC A is running a C2 beacon to an off-network host. All DNS traffic is sent to Server A on our network.
Server A forwards DNS queries to Zscaler ZEN IP over GRE/IPsec tunnel

Current Results
I see the DNS traffic in DNS Insights logs. Each DNS request is marked as:

DNS Tunnels & Network Apps DNS Tunnel & Network App Categories
DNS Network Service

Expected Result
The DNS tunnel domain would be included in an alert so that a security analyst would be prompted to investigate.