Dead simple DNS for IPv4 — with downloadable wildcard certificates for private networks. Stop juggling /etc/hosts, local CA installs, or ad‑hoc certificates.
qip.sh maps hostnames to IPv4 addresses automatically (like nip.io), and adds something developers constantly need: free, downloadable wildcard TLS certificates for non‑publicly routable subnets.
/etc/hosts edits — stop fighting hostname mappings across laptops, VMs, containers, and CI runners
1
zozizs.x.qip.sh → 10.0.1.5
app-zozizs.x.qip.sh → 10.0.1.5
2
10-0-1-5.qip.sh → 10.0.1.5
app-10-0-1-5.qip.sh → 10.0.1.5
3
10.0.1.5.qip.sh → 10.0.1.5
app.10.0.1.5.qip.sh → 10.0.1.5
*.i.qip.sh127.0.0.1 — Localhost friendly. Any *.i.qip.sh hostname resolves to 127.0.0.1 for easy local HTTPS development.
*.x.qip.sh10.0.0.0/8 — Most common private network range used in enterprise and home networks.
*.c.qip.sh100.64.0.0/10 — CGNAT (Carrier-Grade NAT) address space for ISP-level address translation.
*.v.qip.sh192.168.0.0/16 — Popular home and small office network range.
*.p.qip.sh172.16.0.0/12 — Private address space commonly used in Docker and enterprise networks.
*.j.qip.sh198.18.0.0/16 — Benchmark and testing network range for network device testing.
*.k.qip.sh198.19.0.0/16 — Additional benchmark and testing network range.
qip.sh provides free downloadable wildcard TLS certificates for the supported private/non-public wildcard zones. Install a wildcard certificate on your reverse proxy and serve HTTPS for any hostname covered by that wildcard.
The PEM contains everything in one file: certificate + issuer chain + private key
# Example: *.i.qip.sh (localhost / 127.0.0.1)
curl -fsSL https://qip.sh/cert/i.qip.sh.pem -o i.qip.sh.pem
# All supported zones
curl -fsSL https://qip.sh/cert/i.qip.sh.pem -o i.qip.sh.pem # 127.0.0.1
curl -fsSL https://qip.sh/cert/x.qip.sh.pem -o x.qip.sh.pem # 10.0.0.0/8
curl -fsSL https://qip.sh/cert/c.qip.sh.pem -o c.qip.sh.pem # 100.64.0.0/10
curl -fsSL https://qip.sh/cert/v.qip.sh.pem -o v.qip.sh.pem # 192.168.0.0/16
curl -fsSL https://qip.sh/cert/p.qip.sh.pem -o p.qip.sh.pem # 172.16.0.0/12
curl -fsSL https://qip.sh/cert/j.qip.sh.pem -o j.qip.sh.pem # 198.18.0.0/16
curl -fsSL https://qip.sh/cert/k.qip.sh.pem -o k.qip.sh.pem # 198.19.0.0/16For automation or file separation — contains .crt, .key, .issuer.crt, and .pem
curl -fsSL https://qip.sh/cert/i.qip.sh.zip -o i.qip.sh.zipcurl --head https://qip.sh/cert/i.qip.sh.pem
HTTP/2 200
expires: Tue, 17 Mar 2026 20:59:12 GMT <-- expiration date
last-modified: Wed, 17 Dec 2025 20:59:12 GMT <-- issue date
Run your service locally: https://app.i.qip.sh:3000
Use the *.i.qip.sh wildcard certificate for clean HTTPS on localhost without browser warnings.
2
Give your NAS, Pi-hole, and internal apps stable names:
https://grafana-aobo.v.qip.sh for 192.168.10.20
Use wildcard certificates for TLS without managing your own CA.
3
Create TLS-friendly internal hostnames without managing DNS zones:
api-zozizs.x.qip.sh
Perfect for QA environments and ephemeral stacks.
qip.sh also acts as a DNS-over-HTTPS (DoH) resolver. Use it to resolve any qip.sh hostname or perform reverse lookups (PTR) to convert an IPv4 into qip.sh domains.
https://qip.sh/dns-query
Convert an IPv4 address into all valid qip.sh hostnames:
# Reverse lookup via PTR
dig @ns.qip.sh -x 192.168.10.20 +short
# Example output:
# aobo.v.qip.sh.
# vaobo.qip.sh.
# ip-192-168-10-20.qip.sh.
# 192-168-10-20.qip.sh.
# 192.168.10.20.qip.sh.All returned hostnames are valid and can be prefixed, for example:
api-aobo.v.qip.sh or dev.192.168.10.20.qip.sh
Free
Yes — both map hostnames to IPs automatically. qip.sh differs by using custom CoreDNS, offering qip notation (instead of hexadecimal), providing free downloadable wildcard SSL certificates for private/non‑routable subnet wildcard zones, providing a localhost wildcard zone (*.i.qip.sh), and offering a built-in DNS-over-HTTPS endpoint.
Yes! Anything returned by PTR (or shown by the website tool) can be prefixed with anything- or something. and it will still resolve to the same IP. For example: api-aobo.v.qip.sh, dev-va0b0.qip.sh, or app.192.168.10.20.qip.sh.
Yes! qip.sh is totally free for normal usage including wildcard DNS mappings, qip notation, reverse lookup via PTR, DNS-over-HTTPS endpoint, and downloadable wildcard certificates for supported private/non‑routable zones. If you need custom solutions beyond the standard service, contact us to discuss your requirements.
We've done some initial work on IPv6 support but it requires more polishing before it's ready for production use. Currently, qip.sh is focused on IPv4 addressing.
DNS resolution can map to any IPv4 using dot/dash format (e.g., 1.2.3.4.qip.sh). However, downloadable wildcard certificates are focused on non-publicly routable networks (private IP ranges and localhost).
No. Certificates are provided for the subnet wildcard zones (e.g., *.x.qip.sh, *.v.qip.sh, *.i.qip.sh). Plain dot/dash IP hostnames like 10.0.1.5.qip.sh resolve correctly but do not include downloadable wildcard certs.
Certificates are renewed every 60 days and are valid for up to 90 days. To stay current, re-download the certificate periodically and reload your reverse proxy. You can check the issue and expiry dates using curl --head https://qip.sh/cert/i.qip.sh.pem.
qip notation is our proprietary encoding format that deterministically maps compact hostnames to IPv4 addresses within specific subnet zones. For example, zozizs.x.qip.sh maps to 10.0.1.5. This format is TLS/wildcard-friendly and works better with certificate workflows than some other formats.
Use the website form by entering your IPv4 address, or use dig from the command line:
dig @ns.qip.sh -x 192.168.10.20 +short
This will return all valid qip.sh hostnames for that IP address.
qip.sh certificates work with any web server or reverse proxy that supports standard TLS certificates. We provide configuration examples for Nginx, Caddy, and Traefik, but you can use Apache, HAProxy, or any other server that accepts PEM or separate cert/key files.
Yes, for private networks and internal services. qip.sh is designed for private IP spaces, local development, and internal environments. If you need long-lived enterprise PKI, mTLS at scale, or strict compliance requirements, you may prefer your own CA or internal certificate platform.
Simply re-download the latest certificate and reload your reverse proxy or web server. Since certificates are renewed every 60 days, we recommend setting up a simple automation (cron job or similar) to download and reload certificates periodically.
We maintain minimal operational logs for service reliability and debugging purposes. We do not correlate, sell, or share query data. Your privacy is important to us.
qip.sh provides a DoH endpoint at https://qip.sh/dns-query that you can use to resolve qip.sh hostnames or perform PTR lookups over HTTPS. This is useful in environments where outbound DNS (UDP/53) is restricted or when you want DNS resolution over HTTPS for portability or policy reasons.
