sslip.io
Operational Status: [Status]
sslip.io is a DNS (Domain Name System) service that, when queried with a hostname with an embedded IP address, returns that IP address. It was inspired by xip.io, which was created by Sam Stephenson.
Here are some examples:
| Hostname / URL | IP Address | Notes |
|---|---|---|
| https://104.155.144.4.sslip.io | 104.155.144.4 | dot separators, sslip.io website mirror (IPv4) |
| https://52-0-56-137.sslip.io | 52.0.56.137 | dash separators, sslip.io website mirror (IPv4) |
| www.192.168.0.1.sslip.io | 192.168.0.1 | subdomain |
| www.192-168-0-1.sslip.io | 192.168.0.1 | subdomain + dashes |
| https://www-78-46-204-247.sslip.io | 78.46.204.247 | dash prefix, sslip.io website mirror (IPv4) |
| --1.sslip.io | ::1 | IPv6 — always use dashes, never dots |
| https://2a01-4f8-c17-b8f--2.sslip.io | 2a01:4f8:c17:b8f::2 | sslip.io website mirror (IPv6) |
Branding / White Label / Custom Domains
sslip.io can be used to brand your own site (you don’t need to use the sslip.io domain). For example, say you own the domain “example.com”, and you want your subdomain, “xip.example.com” to have xip.io-style features. To accomplish this, set the following three DNS servers as NS records for the subdomain “xip.example.com”
| hostname | IP address | Location |
|---|---|---|
ns-aws.sslip.io. |
52.0.56.137 2600:1f18:aaf:6900::a |
USA |
ns-gce.sslip.io. |
104.155.144.4 | USA |
ns-azure.sslip.io. |
52.187.42.158 | Singapore |
Let’s test it from the command line using dig:
dig @ns-gce.sslip.io. 169-254-169-254.xip.example.com +shortYields, hopefully: [connection timed out]
169.254.169.254But I Want My Own DNS Server!
If you want to run your own DNS server, it's simple: you can compile from source or you can use one of our pre-built binaries. In the following example, we install & run our server within a docker container:
docker run -it --rm fedora curl -L https://github.com/cunnie/sslip.io/releases/download/2.6.0/sslip.io-dns-server-linux-amd64 -o dns-server chmod +x dns-server ./dns-server 2> dns-server.log & dnf install -y bind-utils dig @localhost 127-0-0-1.sslip.io +short # returns "127.0.0.1"
TLS
You can acquire TLS certificates for your externally-accessible hosts from certificate authorities (CAs) such as Let's Encrypt. The easiest mechanism to acquire a certificate would be to use the HTTP-01 challenge. It requires, at a minimum, a web server running on your machine. The Caddy web server is one of the most popular examples. For example, if you had a webserver with the IP address 52.0.56.137, you could obtain a TLS certificate for "52.0.56.137.sslip.io", or "www.52.0.56.137.sslip.io", or "prod.www-52-0-56-137.sslip.io".
If you have procured a wildcard certificate for your branded / white label / custom sslip.io-style subdomain, you may install it on your machines for TLS-verified connections.
When using a TLS wildcard certificate in conjunction with your branded sslip.io style subdomain, you must use dashes not dots as separators. For example, if you have the TLS certificate for *.xip.example.com, you could browse to https://www-52-0-56-137.xip.example.com/ but not https://www.52.0.56.137.xip.example.com/.
if you're interested in acquiring a wildcard certificate for your sslip.io domain, e.g. "*.52-0-56-137.sslip.io", the procedure is described here.
Experimental Features
Experimental features can change; don't depend on them.
Determining Your External IP Address via DNS Lookup
You can use sslip.io's DNS servers (ns.sslip.io) to determine your public IP address by querying
the TXT record of ip.sslip.io:
dig @ns.sslip.io txt ip.sslip.io +short # sample reply "2607:fb90:464:ae1e:ed60:29c:884c:4b52" dig @ns.sslip.io txt ip.sslip.io +short -4 # forces IPv4 lookup; sample reply "172.58.35.231" dig @ns.sslip.io txt ip.sslip.io +short -6 # forces IPv6 lookup; sample reply "2607:fb90:464:ae1e:ed60:29c:884c:4b52"
This feature was inspired by Google's DNS lookup, i.e. dig txt o-o.myaddr.l.google.com @8.8.8.8
+short. There are also popular HTTP-based services for determining your public IP address:
- icanhazip.com (backstory)
- ipify.org
- ip4.me
- curlmyip.org
- ifconfig.co
- ipinfo.io (commercial)
A big advantage of using DNS queries instead of HTTP queries is bandwidth: querying
ns-aws.sslip.io requires a mere 592 bytes spread over 2 packets; Querying https://icanhazip.com/ requires 8692 bytes spread out over 34 packets—over 14 times
as much! Admittedly bandwidth usage is a bigger concern for the one hosting the service than the one using the
service.
Determining The Server Version of Software
You can determine the server version of the sslip.io software by querying the TXT record ofversion.status.sslip.io:
dig @ns-gce.nono.io version.status.sslip.io txt +short "2.6.0" "2022/07/14-18:25:29-0700" "6512ebd"
The first number, ("2.6.0"), is the version of the sslip.io DNS software, and is most relevant. The other two numbers are the date compiled and the most recent git hash, but those values can differ across servers due to the manner in which the software is deployed.
Server Metrics
You can retrieve metrics from a given server by querying the TXT records ofmetrics.status.sslip.io
dig @ns-aws.sslip.io metrics.status.sslip.io txt +short
"Uptime: 82059"
"KV Store: etcd"
"Blocklist: 2022-07-15 16:40:03-07 2,3"
"Queries: 6399908 (78.0/s)"
"Answered Queries: 2202200 (26.8/s)"
"A: 1974882"
"AAAA: 87362"
"TXT Source: 269"
"TXT Version: 8"
"TXT KV GET/PUT/DEL: 21/7/7"
"PTR IPv4/IPv6: 0/0"
"NS DNS-01: 455"
"Blocked: 66"
Explanation of Metrics
- Uptime
- The time since the DNS server has been started, in seconds
- KV Store
- This can be one of two values: "builtin" and "etcd". "builtin" means any changes to key/value are limited to that specific DNS server. "etcd" means changes are propagated to all servers whose key-value store is "etcd"
- Blocklist
- The first value ("2022-02-26 10:54:21-08") is the date the blocklist was last downloaded. The following two numbers are the number of string matches that are blocked (e.g. "raiffeisen" is a string that is blocked if it appears in the queried hostname) and the number of CIDR matches that are blocked (e.g. "43.134.66.67/24" is blocked). The blocklist can be found here
- Queries
- This consists of two numbers: The first is the raw number of DNS queries that the server has responded to since starting operation, and the second is the first number divided by the uptime (i.e. queries/second)
- Answered Queries
- This consists of two numbers: the first is the number of queries we responded to with at least one record in the answer section, and the second is the first number divided by the uptime (i.e. queries/second). Note that the number of answered queries is typically a third or fourth the size of the overall queries. This is normal. One reason for this disparity is that often both the IPv4 (A) and IPv6 (AAAA) records will be checked, but only one reply will have a record in the answer section . For example, browsing to "127.0.0.1.sslip.io" generates two lookups, one with an answer (IPv4), and one without (IPv6). Another reason is that lookups follow a chain, e.g. looking up "127.0.0.1.sslip.io" may generate up to four queries for A records ("1.sslip.io", "0.1.sslip.io", "0.0.1.sslip.io" and "127.0.0.1.sslip.io"), only the last of which returns a record in the answer section. Pro-tip: if you want to shave milliseconds off name resolution, use dashes not dots in your hostname (e.g. "10-9-9-30.sslip.io" instead of "10.9.9.30.sslip.io")
- A
- The number of responses which included an A (IPv4) record since starting operation (e.g. "dig 127.0.0.1.sslip.io")
- AAAA
- The number of responses which included an AAAA (IPv6) record since starting operation (e.g. "dig --1.sslip.io aaaa")
- TXT Source
- The number of responses which included a TXT record of the querier's IP address since starting operation (e.g. "dig @ns.sslip.io ip.sslip.io txt")
- TXT Version
- The number of responses which included a TXT record of the DNS's servers version since starting operation (e.g. "dig @ns-azure.sslip.io version.status.sslip.io txt")
- TXT KV GET/PUT/DEL
- The number of GET/PUT/DELETEs to the DNS-backed key-value store on our sister site, k-v.io
- PTR IPv4/IPv6
- This consists of two numbers; the first is the number of responses to IPv4 PTR queries
(
1.0.0.127.in-addr.arpa.→127-0-0-1.sslip.io.), the second, IPv6 PTR queries - NS DNS-01
- The number of responses which included a delegation of the NS (nameserver) to satisfy a certificate authority's DNS-01 challenge. This lookup is used for generating wildcard certificates from Let's Encrypt and other certificate authority. Technically this is not a "successful" query in that we don't return a record in the ANSWER section, but we do return an NS record in the AUTHORITY section. (e.g. "dig @ns-gce.sslip.io _acme-challenge.192.168.0.1.sslip.io. soa")
Related Services
- xip.io: the inspiration for sslip.io. Sadly, this appears to be no longer maintained after Sam Stephenson left Basecamp.
- nip.io: similar to xip.io, but the PowerDNS backend is written in elegant Python
- localtls: A DNS server + webserver to provide TLS to on local addresses.
Footnotes
[Status] A status of “build failing” rarely means the system is failing. It’s more often an indication that when the servers were last checked (currently every six hours), the CI (continuous integration) server had difficulty reaching one of the three sslip.io nameservers. That’s normal. [connection timed out]
DNS runs over UDP which has no guaranteed delivery, and it’s not uncommon for the packets to get lost in transmission. DNS clients are programmed to seamlessly query a different server when that happens. That’s why DNS, by fiat, requires at least two nameservers (for redundancy). From IETF (Internet Engineering Task Force) RFC (Request for Comment) 1034:
A given zone will be available from several name servers to insure its availability in spite of host or communication link failure. By administrative fiat, we require every zone to be available on at least two servers, and many zones have more redundancy than that.