I would have had far more positive feelings towards the hack if they had done that - e.g. had their roommate configure a bot to monitor a wechat room and respond to url requests by sending back a webpage. tunneling over DNS feels icky because the reason DNS traffic goes into a separate accounting pool is so that the basic infrastructure of the internet can be kept working smoothly, so this is getting firmly into tragedy of the commons territory.

Intent matters. In US legal jurisdictions that could potentially be prosecuted as a CFAA violation, although I'm not aware of any cases like that yet.

https://www.justice.gov/jm/jm-9-48000-computer-fraud

The U.S. has one of the most overbearing laws in that regard, though. The OP happened on a flight leaving Canada.