Think of DNS tunneling like stuffing secret notes inside the envelopes of routine mail. The post office sees only envelopes, so the notes slip through. Consumer VPN and “free net” apps use the same trick with DNS queries and responses to bypass filters. On a protected network, that stunt shows up as odd, repetitive lookups to a single domain or clusters of subdomains that were never meant for everyday browsing.
Below, we present an analysis of several domains and applications that depend on, or are closely linked to, DNS tunneling or related covert transport mechanisms. We'll then cover how the ThreatSTOP Protective DNS protection effectively intercepts this traffic before it poses a risk. I intentionally omitted discussing all the applications we monitor and control, so I’ve selected the five that caught my attention this morning.
App: AM TUNNEL PLUS, attributed to the APNA TUNNEL group.
Status: Unpublished from Google Play on January 10, 2025. Third-party stores still distribute it, and we see traffic active as of this morning: 2025-09-09
Evidence of linkage: The app’s privacy policy URL points to https://ammoplus[.]xyz/user/privacy_pub, which ties the app to the domain.
Infra notes: The domain is used for app infrastructure, not a normal website.
Observed subdomain example: sd-udp534.ammoplus[.]xyz.
7olyey2haootjy5m5miezrfenlrvcacaacjs6aaafuaaaaa4aaaaanaaaaacfjv.jbjnfvyzfcimkl2mr3ycs6e6osoqx2ty7bh5eojsboqpcxcldvaxjyhjvjie3cz.ka5peoqnt7oyq4h3q.sd-udp534.ammoplus[.]xyzApp: Zedtunnel VPN, positioned as “Unlimited Free SSH and SlowDNS VPN.”
DNS tunneling: Strong. The app advertises a DNS mode and references SlowDNS or DNSTT. Community reports describe “free browsing” by selecting DNS-based presets. Easily able to bypass your corporate security controls.
Infra notes: Domain used as a rendezvous for tunnel traffic, often with queries to subdomains carrying encoded payloads. Historical DNS places it on a VPS.
Let's pause and chat about this "SlowDNS" term:
Zedtunnel VPN implements a DNS tunnel protocol referred to as “Slow DNS” or DNSTT. (In community slang, “SlowDNS” has become a generic term for DNS-based free internet tricks, highlighting that it’s usually much slower than normal internet) DNSTT stands for “DNS Tunnel Turbo” – an open-source protocol that carries data in DNS TXT records and can also leverage DNS over HTTPS/TLS for stealth . Zedtunnel’s inclusion of a “Slow DNSTT protocol” mode indicates that when a user activates this mode, the app will perform DNS lookups for subdomains of zedtunnel[.]com (or related domains controlled by the service) that encode the user’s traffic. On the server side, an authoritative DNS server for zedtunnel[.]com (running a tunneling daemon) answers those queries with crafted DNS responses that carry the tunneled data. This effectively creates a VPN-like link over DNS.
How zedtunnel[.]com is used in DNS tunneling: Typically, the app will have configured zedtunnel[.]com (or a subdomain) as the tunnel domain. For example, it might query something like "wlk7krraa6lqd2g2pdy5tttavr4q.sgt1.zedtunnel[.]com". The queries are routed by the device’s resolver (often the ISP’s DNS server) up to the authoritative nameserver for zedtunnel[.]com. Using DNSTT, the payload is placed in DNS records (commonly TXT records, for example:
\000\026\015 /XQ\000@\000-fKY<\000\000\000M\000\000\000\002\000\000\000\000\024\0000\015
/XQ\000@\000-fKY=\000\000\000M\000\000\000\024\000\000\000\198;\232\222\132G\020J\145\142
\003\165Z\230\001\150\231hv\183E\194\192\025\000J\015 /XQ\000@\000\140mKY<\000\000\000M
\000\000\000\002\000\000\000\000\024\015 /XQ\000@\000\140mKY=\000\000\000M\000\000\000
\024\000\000\000\198;\232\222\132G\020J\145\142\003\165Z\230\001\150\231hv\183E\194\192
\025\000J\015 /XQ\000@\000J|KY<\000\000\000M\000\000\000\002\000\000\000\000\024\015
/XQ\000@\000J|KY=\000\000\000M\000\000\000\024\000\000\000\198;\232\222\132G\020J\145
\142\003\165Z\230\001\150\231hv\183E\194\192\025\000\026\015 /XQ\000@\000=\141KY>
\000\000\000M\000\000\000\002\000\000
... Rather than standard A record lookups. DNS tunnels have high overhead and latency, hence the moniker “SlowDNS.” Users on forums have acknowledged this is primarily useful for basic connectivity when you have no data plan.
From a technical evidence standpoint, if one monitors network traffic on a device using Zedtunnel’s DNS mode, they would observe a flurry of DNS queries to zedtunnel[.]com (or its subdomains), often with very long or unusual-looking subdomain strings (these carry the encoded data).
Distribution: The ployvpn[.]uk DNS tunnel is utilized via custom tunneling apps rather than a standalone product.
The domain ployvpn[.]uk appears tied to a community-run mobile VPN/tunneling service (again, Android-focused). It is referenced in free “Slow DNS” configurations shared on Telegram, particularly in Southeast Asian free-internet communities.
DNS tunneling:
The Telegram leak provides strong evidence that ployvpn[.]uk’s service uses DNS tunneling. The config explicitly labels “Slow DNS” parameters and even provides a DNS Public Key (a 64-hex string).
3evvzyzqjvqazyyasj7ieyd6doifcacaaa3liaaa7mbaaaghaaaaa2qaaaakbtl.yivqy7mzxxllsdh3nt6sr4y4yii7nnculkmpfb6hqkxdaijte537zca2s33wwim.y7qgd5niwndg7ysxonwpgd2pnanu4nq2npw7yo2yk3yytztonebcactymgvcogf.lgcjkzz36ckqdudt5wtdrdvztsizonphyns2a53g.slow-ss5.ployvpn[.]ukDistribution: Sergan[.]xyz appears to be another domain used in the DNS-tunneling VPN ecosystem, though it is more obscure. We did not find an official VPN product named “Sergan,” indicating this is likely an infrastructure domain rather than a consumer-facing brand. Its use has been noted in contexts similar to ployvpn[.]uk – i.e. configuration files or account credentials for SSH-over-DNS services. Given the naming and TLD, sergan[.]xyz is likely run by an individual or small group (XYZ domains are low-cost).
DNS tunneling:
gzjsoxeeznw65y2kxqueqztvd6sfcabaaaqqkaaaaeaaaaaaaaaaamaaaaacq2o.h6w5hpehoaepr7u42k45hcj45liniczl2sotulmozn7hm4heodmwlojj4npbc4l.2hvyjysmi6.b.sergan[.]xyzDistribution: Shared “SSH SlowDNS account” posts list fns2.xyclops[.]cloud:53 with a public key, a direct indicator of DNSTT-style DNS tunneling.
Xyclops[.]cloud’s operation aligns with SlowDNS/DNSTT techniques. The account shared (jfree:828382 in the example) is an SSH login, meaning once the DNS tunnel is established, the user can SSH to the server (often 127.0.0.1 at some forwarded port) to actually proxy traffic. The DNS patterns here would involve the client encoding SSH payloads into a series of DNS queries to fns2.xyclops[.]cloud, which is likely authoritative for the xyclops[.]cloud domain.
DNS tunneling:
c5i7orsthxtvry63p5jeqpjdqkcvcaaaaqbaaaaaaeaaaaaaaaaaamaaaaadwxl.viqpch6flamf37isn74bqyomalyfvfrzn2hpecica45nxkpgjn7q3zfrqoswdvx.i7hdxxg7hg.fns2.xyclops[.]cloudApp: In contrast to the above, pingle[.]one is the domain of a legitimate commercial VPN service called Pingle VPN. Pingle is an emerging VPN provider focusing on censorship-heavy markets (Russia, China, Turkmenistan, etc.), and it offers apps for multiple platforms (Android, iOS, Windows, etc.). The service is professionally developed – the website touts modern proxy protocols and even Web3 integrations (they provide an IPFS link and an Ethereum Name Service domain to reach their site if the main domain is blocked). Pingle’s inclusion in this list is interesting, as it’s not an underground free-tunnel like the others; however, Pingle explicitly markets itself as working in the “strictest internet censorship” environments. This implies Pingle has to use creative techniques to connect – possibly including DNS-based tunneling as a fallback.
Transport: Focus on TLS obfuscation, Cloudflare CDN usage, and alternate reachability methods.
DNS tunneling:
usuxegfmy5jgtyyq247bvpm2u22vcaaaafiqaaaaaaaaaaaaaaaaaaqaaaaaama.t.pingle[.]oneDNS tunneling gives endpoints a covert path off your network. Even if the intent is simply to bypass a captive portal, the effect is the same as a policy violation. Repeated, high-entropy queries to a single uncommon domain or many long subdomain labels are hallmark signs. On corporate networks, this traffic can undermine monitoring and allow unapproved data extraction.
Protective DNS
DNS Defense Cloud and DNS Defense apply thousands of ThreatSTOP Security, Intelligence, and Research team protections in real time.
We maintain protections against DNS Tunnels, as well as command and control, data exfiltration, proxy and anonymizer infrastructure phishing, SPAM, peer-to-peer abuse, invalid traffic, and DDoS staging.
When domains like the ones above are classified as tunneling infrastructure or high risk, Protective DNS blocks lookups at the resolver. That prevents the tunnel from establishing because the client never reaches the authoritative DNS under the attacker or operator’s control.
Our protections update continuously so newly observed tunnel endpoints and subdomains can be interdicted quickly.
Operational outcomes
Stop unauthorized VPNs and shadow IT tunnels at the first packet that matters.
Reduce exfiltration risk by denying covert channels.
Improve incident response with clear indicators.
Monitor for patterns: Sudden spikes of DNS queries to a single domain, very long subdomain labels, repetitive TXT lookups, and persistent queries at short intervals.
Block by policy: Treat DNS tunneling apps as unapproved network proxies. If your acceptable use policy forbids them, enforce with Protective DNS and IP Defense.
Triage quickly: Identify the host using the tunnel, remove the app, and validate that no sensitive data left the environment.
Hunt IOCs:
ammoplus[.]xyz
zedtunnel[.]com
ployvpn[.]uk
sergan[.]xyz
xyclops[.]cloud
For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers. Get started with a Demo today.
Connect with Customers, Disconnect from Risks
|
ATT&CK Tactic |
Technique |
Why it applies in this context |
|---|---|---|
|
Command and Control |
Application Layer Protocol: DNS (T1071.004) |
DNS queries and responses are used as the C2 and data channel in SlowDNS and DNSTT modes. |
|
Command and Control |
Encrypted Channel (T1573) |
DNSTT and many tunnel apps encrypt payloads inside DNS to prevent content inspection. |
|
Command and Control |
Proxy (T1090) |
Tunneling apps act as unauthorized proxies to external infrastructure. |
|
Exfiltration |
Exfiltration Over C2 Channel (T1041) |
Data can be moved out over the same DNS tunnel used for control. |
|
Exfiltration |
Exfiltration Over Alternative Protocol (T1048) |
DNS is used as an alternative protocol to move data when other traffic is blocked. |
|
Defense Evasion |
Obfuscated/Compressed Data (T1027) and Data Obfuscation (T1001) |
Payloads are encoded in subdomain labels or TXT records to evade simple detection. |
|
Discovery and Resource Development |
Domain and DNS Infrastructure are repurposed for covert transport |
Use of custom authoritative DNS and dynamic subdomains supports the tunnel channel. |