sslip.io

Operational Status: ^[Status]

sslip.io is a DNS (Domain Name System) service that, when queried with a hostname with an embedded IP address, returns that IP Address. It was inspired by xip.io, which was created by Sam Stephenson.

Here are some examples:

Branding / White Label / Custom Domains

sslip.io can be used to brand your own site (you don’t need to use the sslip.io domain). For example, say you own the domain “example.com”, and you want your subdomain, “xip.example.com” to have xip.io-style features. To accomplish this, set the following three DNS servers as NS records for the subdomain “xip.example.com”

Let’s test it from the command line using dig:

dig @ns-gce.nono.io. 169-254-169-254.xip.example.com +short

Yields, hopefully: ^{[connection timed out]}

169.254.169.254

But I Want My Own DNS Server!

If you want to run your own DNS server, it's simple: you can compile from source or you can use one of our pre-built binaries. In the following example, we install & run our server within a docker container:

docker run -it --rm fedora
curl -L https://github.com/cunnie/sslip.io/releases/download/2.1.2/sslip.io-dns-server-linux-amd64 -o dns-server
chmod +x dns-server
./dns-server 2> dns-server.log &
dnf install -y bind-utils
dig @localhost 127-0-0-1.sslip.io +short # returns "127.0.0.1"

TLS

You can acquire TLS certificates for your externally-accessible hosts from certificate authorities (CAs) such as Let's Encrypt. The easiest mechanism to acquire a certificate would be to use the HTTP-01 challenge. It requires, at a minimum, a web server running on your machine. The Caddy web server is one of the most popular examples. For example, if you had a webserver with the IP address 52.0.56.137, you could obtain a TLS certificate for "52.0.56.137.sslip.io", or "www.52.0.56.137.sslip.io", or "prod.www-52-0-56-137.sslip.io".

If you have procured a wildcard certificate for your branded / white label / custom sslip.io-style subdomain, you may install it on your machines for TLS-verified connections.

Unless you're a VMware employee, I can't release the private key for the "*.sslip.io" wildcard certificate (VMware employees can download the *.sslip.io TLS private key here); however, acquiring wildcard certificates for "sslip.io" subdomains, e.g. "*.52-0-56-137.sslip.io", is possible but more complicated. For those interested, the procedure is described here.

Related Services

• xip.io: the inspiration for sslip.io
• nip.io: similar to xip.io, but the PowerDNS backend is written in elegant Python
• localtls: A DNS server + webserver to provide TLS to on local addresses.

Footnotes

^[Status] A status of “build failing” rarely means the system is failing. It’s more often an indication that when the servers were last checked (currently every six hours), the CI (continuous integration) server had difficulty reaching one of the three sslip.io nameservers. That’s normal. ^{[connection timed out]}

^{[connection timed out]}

DNS runs over UDP which has no guaranteed delivery, and it’s not uncommon for the packets to get lost in transmission. DNS clients are programmed to seamlessly query a different server when that happens. That’s why DNS, by fiat, requires at least two nameservers (for redundancy). From IETF (Internet Engineering Task Force) RFC (Request for Comment) 1034:

A given zone will be available from several name servers to insure its availability in spite of host or communication link failure. By administrative fiat, we require every zone to be available on at least two servers, and many zones have more redundancy than that.