
Xip.io - a magic domain name that provides wildcard DNS for any IP address - qrush
http://xip.io/
======
beagle3
What is the use case that requires <http://test.10.0.0.3.xip.io/test-page>
rather than <http://10.0.0.3/test-page> ? I've been using the latter on
iphones and ipads with no problem.

Honest question.

~~~
beggi
You can't test multiple sites on the same host using just the IP.

~~~
vasco
"You can't test multiple sites on the same host using just the IP."

I'm not getting what the problem is. Isn't this what ports are for? Or even
just running the websites on different folders?

~~~
julian37
Sometimes vhosts are convenient, sometimes they're even mandatory. For
example, with XMPP servers, multi-user chat and any components _must_ live on
a subdomain. So if your main server is running on example.com then the MUC
server is, say, conference.example.com and component "foo" is foo.example.com.
No way around it short of hacking the source (and, if I'm not mistaken,
violating standards.)

This is just one situation where I can see this come in really handy during
development.

~~~
AceJohnny2
> _For example, with XMPP servers, multi-user chat and any components must
> live on a subdomain._

This is only necessary if you want users outside your domain to access your
component. While you probably want to do so for MUC, you might not necessarily
want to bother for your user directory or gateways. I've run many servers over
the years and long since stopped creating a host/subdomain for each component.

~~~
julian37
Interesting, this must be a shortcoming of OpenFire then. With OpenFire I
haven't found a way around having the MUC and extension subdomains accessible
via DNS, regardless of whether or not requests are coming from the same domain
or not. Is this not necessary with other XMPP servers? Which ones are you
using, if I may ask?

~~~
zeen
It is indeed a shortcoming of OpenFire; one that won't be fixed [1].

As far as the XMPP protocol is concerned, the concept of sub-domains doesn't
matter. It's useful for human users when configuring servers though.

Prosody for example allows running a multi-user chat service on example.com.
And there's an undocumented feature which let's you have user@example.com be a
user, and room@example.com be a chatroom.

[1] <http://issues.igniterealtime.org/browse/OF-162>

------
riobard
I have a dd-wrt router with DNSmasq functioning as the DNS server for local
hosts. DNSmasq resolves external domains using Google DNS (8.8.8.8/8.8.4.4).
With this setup, domain names like 192.168.X.X.xip.io and 127.X.X.X.xip.io
won't resolve, and I believe there is something wrong with my DNSmasq setup.
Anyone else ran into similar issues?

(Update) Problem solved by myself. The DNSmasq config has stop-dns-rebind
option enabled, which filters out DNS results in private IP ranges from
upstream servers for security reasons. DNSmasq doc has the following part:

    
    
        -stop-dns-rebind
    

Reject (and log) addresses from upstream nameservers which are in the private
IP ranges. This blocks an attack where a browser behind a firewall is used to
probe machines on the local network.

In case you run into this issue, just comment out this option in dnsmasq.conf
and restart dnsmasq.

~~~
j-kidd
Or you can add rebind-domain-ok=xip.io to dnsmasq.conf. Not that I would do
that myself, as I still don't see what value it provides.

~~~
riobard
Thanks for this tip! I guess this is more secure than just opening up all
rebind from the wild.

------
LocalPCGuy
I'm not exactly why it is so hard to connect to a local machine on your
network. Either determine your local IP address or your network computer name.

~~~
dools
If you're creating an application where connecting on the "root domain"
matters it can be problematic. For example, imagine you were creating some URL
rewrites using apache's mod_rewrite and they worked for
<http://some.domain.com/rewrite-goes-here/> you would have to do a bunch of
extra work (or an extra set of rules even) to make that work also for
10.0.1.1/my_app_without_vhost/rewrite-goes-here/

When you're testing on your LAN using a PC/mac or whatever you can do a local
DNS modification on the machine (eg. /etc/hosts) but when you're testing from
an iPad or some other device this is either impossible or prohibitively
difficult.

The other option is to setup a DNS server on your LAN which is a headache all
it's own - this is a very simple and elegant way of circumventing these
issues. Awesome stuff.

~~~
bencoder
You really should develop your apps so that they are path agnostic. And the
mod_rewrite rules can be fixed with a simple RewriteBase declaration
(RewriteBase /subdirectory). I've never found this a major problem that
requires a DNS server to fix.

------
comice
Reimplemented in ~30 lines of ruby as a powerdns pipe backend.

<https://gist.github.com/2897076>

powerdns is a solid dns server and very extensible!

$ host whatever.192.0.43.10.ip.ipq.co whatever.192.0.43.10.ip.ipq.co is an
alias for 1h9u9ze.ip.ipq.co. 1h9u9ze.ip.ipq.co has address 192.0.43.10

------
sstephenson
For those who missed the other announcement, Pow 0.4.0 has xip.io support
built-in: [http://37signals.com/svn/posts/3191-announcing-
pow-040-with-...](http://37signals.com/svn/posts/3191-announcing-pow-040-with-
xipio-support)

~~~
MartinMond
Does that actually work? On my machine pow has ipfw configured so that it only
forwards requests to 127.0.0.1 not to 10.0.1.whatever so
project.10.0.0.5.xip.io fails.

Filed an issue: <https://github.com/37signals/pow/issues/293>

Edit: a) I should RTF man page for ipfw, b) nevertheless my OS X behaved
strangely. I rebooted and now everything works.

Anyway, great project, have been a happy user of pow master for quite a while.

------
shawndrost
I've also made use of lvh.me (local virtual host), a url who's dns points at
127.0.0.1. It's good for testing subdomains on localhost.

~~~
no_more_death
localhost.microsoft.com and localhost.yahoo.com also used to redirect to
127.0.0.1. And, of course, this wreaked utter havoc with cookies (since
cookies are accessible across the entire domain). Zalewski discusses in TTW
(The Tangled Web).

DNS hackery is really dangerous.

~~~
ajasmin
I gather that Xip.io have the same issue with cookies.

~~~
adgar
Yes, but xip.io doesn't host any production services with which test cookies
might interact.

------
StavrosK
Hmm... Why wouldn't I just type the IP in?

~~~
eli
Because then you can only serve one site from that address.

With this you could serve as many different sites as you want based on the
first part of the domain name.

~~~
julian37
To expand on this, this problem can usually be solved by editing /etc/hosts.
But you can't do that on some platforms such as iOS.

By the way, a neat trick is to assign an alias to your network interface in
order to avoid the trouble of DHCP giving you a different IP address each time
you connect. For example, on Mac OS X:

    
    
      $ sudo ifconfig en1 alias 10.99.99.99 netmask 255.0.0.0
    

This address will only be reachable from hosts that have a route to it, which
can be achieved for example by also giving them an alias on the same subnet.
Still, comes in handy at times.

(Obviously you want to be sure you're using a vacant address.)

(And of course, when you have control over the DHCP server there are more
elegant ways of achieving this, such as binding your MAC to a static IP
address.)

Edited for clarity.

~~~
drivebyacct2
What is the difference between an alias and a static IP address? Also don't
most routers attempt to give IPs back to the MAC that last had them?

~~~
julian37
_What is the difference between an alias and a static IP address?_

Not sure what you mean. If you're referring to the bit about binding MAC to an
address, I should probably have said "fixed IP" rather than "static IP", sorry
about that.

 _Also don't most routers attempt to give IPs back to the MAC that last had
them?_

I'm hopping between different networks (with different DHCP servers) quite a
lot, maybe it's less useful when you're always on the same network.

~~~
drivebyacct2
Ah, no Wilya picked up on why I was confused. Sounds like a great tip, thanks!

------
tsaixingwei
This would be great for testing multi-tenanted cloud applications. For
example:

tenant1.10.0.0.1.xip.com tenant2.10.0.0.1.xip.com tenant3.10.0.0.1.xip.com

They all resolve to the same IP Address (10.0.0.1), but now the web
application at that address knows which tenancy is being targeted.

~~~
recurser
You can do this with pow if you're testing locally - tenant1.mydomain.dev,
tenant2.mydomain.dev etc, and the URLs are a bit cleaner.

------
impoverished
Couldn't you accomplish this with djbdns' dnsrewrite or pdns_recursor's lua
scripting?

Why anyone would want to write DNS server (=something that needs to be very
fast) in Javascript is beyond my comprehension. The ASCII art is probably
better work than the DNS server.

~~~
j-kidd
Or unbound's python scripting. Or if GeoScaling slightly improves its
excellent smart subdomain service, 2 lines of php script.

------
spobo
You guys are missing the point. It's intended to be used with Pow. This way
you don't have to bother with manually starting & stopping servers or
remembering ports or whatever. This domain allows you to have access your
sites in the same way from any device in your network. Not just your dev
machine. Handy! And it works. What's not to like then?

[http://37signals.com/svn/posts/3191-announcing-
pow-040-with-...](http://37signals.com/svn/posts/3191-announcing-pow-040-with-
xipio-support)

------
rs
I created a clone of xip.io which doesn't have any the DNS faults:

<http://news.ycombinator.com/item?id=4085522>

------
comice
I run a kinda related service that does instant dns records: <http://ipq.co/>

And I wrote a Ruby DSL to easily integrate with a real dns server (powerdns).
Makes it trivially easy to write things like xip.io

<https://github.com/johnl/powerdns_pipe>

------
baby
I don't get it, it's pretty easy to install a wildcard system on one's server
right? Why would we go through this?

------
darrikmazey
I run a simple djbdns setup locally with a caching resolver that passes
specific domains to my dns server proper and the rest up the chain. Took about
seven minutes to configure properly. This seems overly complex.

------
ChuckMcM
Nice hack.

Of course reverse dns doesn't work :-) I suppose it kinda sorta could if you
tracked where a request came from and what IP you sent it and if you got a
reverse lookup you could undo that, but still it is clever!

~~~
devicenull
Reverse DNS is controlled by the company that owns the actual IP address.
There's no way for a random website to change responses for it (unless they
own the IP range, or were delegated control)

~~~
xxyyxyxyy
Isn't it controlled by whoever is running the .arpa domain?

~~~
ChuckMcM
Yes and no. There is nothing [1] preventing any DNS server from responding
authoritatively to a request that it is presented with, except a moral
correctness to the protocol.

[1] If you ever wondered how openDNS or your ISP sends you spammy web pages
when you try to resolve something that doesn't exist, or how the hotel hijacks
your browser into giving you a login page, this is it. You look for google.com
it notes you haven't logged in and returns the address for its paywall as the
answer.

Oh except if you are running dnssec in which case it is a lot harder to lie
about what you are authoritative for. But on my dns servers at home they all
think they are authoritative for 10.in-addr.arpa. so that they will answer
queries for that network.

------
atomaka
Why is this better than adding an entry to my hosts file?

~~~
sstephenson
How are you going to add an entry to the hosts file on an iPhone?

~~~
MiguelHudnandez
I know you meant your question rhetorically, but I believe you can add a proxy
server to the iPhone and handle any hostname trickery there.

Edit: Proxy settings can't be global, but are assigned individually for each
WiFi connection.

~~~
Karunamon
Yeah but then you're into jailbreak-warranty-invalidation territory. Great for
personal devices, not so great on corporate.

~~~
sim0n
Why would adding a proxy server invalidate your warranty? Adding a proxy is
built in to iOS.

~~~
Karunamon
Oh whoops.. misread parent as _installing_ a proxy server, not configuring one
to be used in the settings.

------
tijs
This is pretty handy until were all switched over to IPv6 and we'll need to
"to solve the problem once and for all" again.

~~~
drbawb
Isn't the idea of IPv6 that we have plenty of addresses. Thus it wouldn't
(read: shouldn't) be hard to get another address bound to your virtual host.

In fact doesn't the whole idea of binding multiple sub-domains to the same IP
address (on the same port) kind of go by the wayside when it's free/cheap/not-
going-to-blow-up-the-internet to get another IP?

~~~
tijs
yes you could indeed throw another address at your virtual host. but the
website/tool in question won't work with IPv6 addresses as they are not valid
in a URL is the point i was trying to make :)

------
aaroneous
I wish one of the localhost-to-web projects like showoff.io or localtunnel
would allow wildcard hostnames like this.

------
mparlane
I hope people trust 37signals.

~~~
ldng
Well, if you don't : <https://github.com/sstephenson/xipd>

~~~
zaptheimpaler
We have no proof that the code on the repo is related in any way to the code
the actual site is running.

~~~
sstephenson
You're right. I'm probably just running xip.io to steal all your sensitive
development-mode form data!

~~~
mparlane
Information you have access to:

External ip addresses of requestees. Internal ip addresses of requestees.

To some, this is very useful...

~~~
bonzoesc
Can you be specific instead of "to some?"

------
rmoriz
Why not use mDNS/Bonjour?

------
iapi
looks very useful

------
jsprinkles
I've identified several technical problems with this domain, and this isn't an
example of how to properly operate DNS. 37signals is setting an absurdly low
TTL on these records (10 minutes; the answers never change, I absolutely do
not understand the logic behind this TTL), which means every 10 minutes you're
re-resolving _a local address_ , through a _CNAME_ (so two DNS round trips,
and in my case this resolution took between 115ms and 230ms, not small
change):

    
    
        [~]$ dig foo.169.254.84.1.xip.io
        foo.169.254.84.1.xip.io.	600	IN	CNAME	foo.daze1.xip.io.
        foo.daze1.xip.io.		600	IN	A	169.254.84.1
    

Concerningly, ns-1.xip.io is also broken; it does not serve NS records for its
own zone, instead relying upon the SOA record and the upstream glue, which I'm
shocked works:

    
    
        [~]$ dig +short NS xip.io
        [~]$ 
    

The nameserver delegation from nic.io is also broken:

    
    
        xip.io.			86400	IN	NS	ns-1.xip.io.
        xip.io.			86400	IN	NS	ns6.gandi.net.
        ;; Received 86 bytes from 2001:678:5::1#53(b.nic.io) in 60 ms
    

Oh, well that's interesting, Gandi is a backup for their custom daemon, eh? So
did they implement AXFR, IXFR, and notify and such to Gandi? Well, let's ask
Gandi:

    
    
        [~]$ dig @ns6.gandi.net. SOA xip.io
        ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 3222
    

Oh, guess not. The long and short of this is for DNS purposes, a custom daemon
is almost never the answer. This could have been accomplished with BIND fairly
easily, and the zone would be functional as well.

~~~
colmmacc
It's a cool idea, but there are some other problems too; which I just want to
list to help the developers and am not trying to rain on a parade.

As in the parent comment, a CNAME is returned for arbitrary names;

    
    
      % dig foo.192.0.2.1.xip.io     
      foo.192.0.2.1.xip.io.	600	IN	CNAME	foo.a2eo0.xip.io.
      foo.a2eo0.xip.io.	600	IN	A	192.0.2.1
    

but only if the request is of type A. Requests of other types return invalid
NXDOMAIN responses - invalid because they contain no SOA in the authoritative
section. CNAMEs are supposed to be returned for all records of any type for a
given name, not doing so is dangerous as it can poison caches. Not returning
the CNAME even for a query of type "CNAME" is particularly harmful.

Responding with no name would be bad on its own, but saying that no name
exists is clearly wrong and can be used to poison caches (the NXDOMAIN is
cacheable). Note that most browsers and clients will now perform an AAAA
lookup prior to the A lookup - poisoning their own cache if they happen to
have a copy of the SOA for xip.io in cache (the SOA record hints to the
negative cache lifetime).

It's not clear that using an intermittent CNAME does anything useful - why not
just return an A record, with a billion second TTL value. As-is, it merely
adds a round-trip (the CNAME and A are not returned in one pass by
ns-1.xip.io).

Additionally, ns-1.xip.io does not mark the "authoritative answer" bit in any
responses - which will cause issues with some resolvers.

But, still a neat idea. Question for the developers;

It's clear that the intermediate CNAME represents an encoding of the IP
address, e.g.;

    
    
      foo.192.0.2.1.xip.io.	600	IN	CNAME	foo.a2eo0.xip.io.
    

here "a2eo0" is an encoding of 192.0.2.1 , but then;

    
    
      foo.192.0.2.2.xip.io.	600	IN	CNAME	foo.k201s.xip.io.
    

are you using some kind of cipher?

PS. Everybody please use 192.0.2.0/24 for IP addresses in examples and
documentation, and 2001:db8::/16 for IPv6. See RFC3330/5735 and RFC3849. It's
good karma ;-)

~~~
X-Istence
Source code for encode/decode is found here:

[https://github.com/sstephenson/xipd/blob/master/src/index.co...](https://github.com/sstephenson/xipd/blob/master/src/index.coffee#L95)

~~~
colmmacc
Thanks! it reads like a 36-ary encoding of an IP address in host byte order,
rather than network byte order, which is why it seems to jump around so much.

Interestingly, it encodes 0.0.0.0.xip.io as 0.xip.io , but then refuses to
answer for 0.xip.io. Why isn't obvious to me from reading the code, perhaps
some kind of overflow condition is triggered by the right shift.

------
xxyyxyxyy
This is a hack for devices where the user cannot access /etc/hosts?

Running a local DNS server on these devices is also not possible?

Can a user access ifconfig and change interface settings, e.g. adding an
alias?

In terms of networking, these devices appear to be crippled. Yet they do not
have to be if they're built using code from BSD's.

------
shellox
I can't really see the problem which it try to solve, but I guess some people
need it.

------
nvoorhies
I think it really speaks to the impoverished startup environment in Chicago
that this ends up as an un-monetized throwaway product.

In Silicon Valley an idea like this could lead to a helluva exit with backing
from incubators like YC.

~~~
impoverished
That's funny. I would interpet it the other way around. It doesn't say much
for SV if they have to make money off of redundant little .js hacks like this.
They have nothing better? That's the problem with SV. Lots of stupid money,
conniving VC and no standard for what constitutes an actual business. They can
take anything and spin it into a "company" just to reach a "helluva exit".
What a joke. It is all going to implode.

