qip.sh Technical Documentation

Table of Contents

1. Overview
2. Getting Started
3. DNS Resolution
4. Wildcard Certificates
5. Installation Guides
6. Advanced Usage
7. API Reference
8. FAQ
9. Troubleshooting

Overview

What is qip.sh?

qip.sh is a free, production-ready service that provides:

1. Wildcard DNS resolution for IPv4 addresses using multiple notation formats
   
2. Free downloadable wildcard TLS certificates for private/non-routable IP ranges
   
3. DNS-over-HTTPS (DoH) support for encrypted DNS queries
   
4. Reverse lookup (PTR) to convert IPv4 addresses into valid qip.sh hostnames

Key Features

• Zero setup required — no /etc/hosts editing, no manual DNS zones
• Multiple hostname formats — dot notation, dash notation, and proprietary qip notation
• Real HTTPS for private IPs — valid TLS certificates without managing your own PKI
• Works everywhere — Kubernetes, Docker, Nginx, Caddy, Traefik, and any standard web server
• Totally free — no signup, no credit card, no usage limits

Supported Networks (with free wildcard certificates)

Getting Started

Quick Start (5 minutes)

Step 1: Get Your qip.sh Hostname

For an IPv4 address like 127.0.0.1, use any of these formats:

# All resolve to 127.0.0.1
https://app.i.qip.sh
https://localhost-app.i.qip.sh
https://127.0.0.1.qip.sh
https://127-0-0-1.qip.sh

Step 2: Test DNS Resolution

# Test localhost zone
dig app.i.qip.sh +short
# Output: 127.0.0.1

# Test private network
dig api.x.qip.sh +short
# Output: 10.0.0.1 (example)

# Reverse lookup - find all hostnames for an IP
dig @ns.qip.sh -x 192.168.10.20 +short

Step 3: (Optional) Download SSL Certificate

For using HTTPS with a qip.sh hostname:

# Download certificate for localhost zone
curl -fsSL https://qip.sh/cert/i.qip.sh.pem -o i.qip.sh.pem

# Verify certificate
curl --head https://qip.sh/cert/i.qip.sh.pem

Step 4: Configure Your Web Server

See Installation Guides for Nginx, Caddy, Traefik, or other servers.

DNS Resolution

Hostname Formats

qip.sh supports three primary hostname formats for DNS resolution:

1. Dot Notation

Embed the IP address directly using dots:

<optional-prefix>.<IP-address>.qip.sh → <IP-address>

Examples: - 10.0.1.5.qip.sh → 10.0.1.5 - app.10.0.1.5.qip.sh → 10.0.1.5 - customer1.app.10.0.1.5.qip.sh → 10.0.1.5

Use case: Quick, human-readable hostnames for any IPv4 address. Certificate support: None (no wildcard cert for dot notation)

2. Dash Notation

Embed the IP address using dashes:

<optional-prefix>-<IP-address-with-dashes>.qip.sh → <IP-address>

Examples: - 10-0-1-5.qip.sh → 10.0.1.5 - app-10-0-1-5.qip.sh → 10.0.1.5 - dev-prod-10-0-1-5.qip.sh → 10.0.1.5

Use case: URL-friendly format for environments with DNS or proxy limitations. Certificate support: None (no wildcard cert for dash notation)

3. qip Notation (Proprietary)

Encode your IP deterministically into a compact label within a private subnet zone:

<optional-prefix>-<encoded-label>.<zone>.qip.sh → <IP-in-that-zone>

Examples (for 10.0.0.0/8 zone *.x.qip.sh): - zozizs.x.qip.sh → 10.0.1.5 - api-zozizs.x.qip.sh → 10.0.1.5 - customer1.prod.zozizs.x.qip.sh → 10.0.1.5

Use case: TLS-friendly hostnames that work with wildcard certificates. Certificate support: Yes! Use the zone’s wildcard cert (e.g., *.x.qip.sh for all *.x.qip.sh hostnames)

How to Encode qip Notation

Use the reverse lookup feature to find the encoded label for your IP:

# Reverse lookup for 10.0.1.5
dig @ns.qip.sh -x 10.0.1.5 +short

# Output includes:
# zozizs.x.qip.sh.
# ip-10-0-1-5.qip.sh.
# 10-0-1-5.qip.sh.
# 10.0.1.5.qip.sh.

The zozizs in this case is the qip notation for 10.0.1.5 within the *.x.qip.sh zone.

Prefixing Rules

Any qip.sh hostname can be prefixed with anything- or something. and will still resolve correctly:

# These all resolve to 10.0.1.5:
api.10.0.1.5.qip.sh
api-10-0-1-5.qip.sh
api-zozizs.x.qip.sh
customer1.app.api-10-0-1-5.qip.sh
prod.staging.api-zozizs.x.qip.sh

This is especially useful for: - Service identification (e.g., api-, ui-, db-) - Environment tagging (e.g., prod-, dev-, staging-) - Customer/project identification (e.g., customer1-, project-a-)

Reverse Lookup

Convert an IPv4 address into all valid qip.sh hostnames using PTR (Pointer) records:

Option A: Using the Web Form

Visit qip.sh and enter your IPv4 address to see all valid hostnames.

Option B: Using dig Command

# Reverse lookup
dig @ns.qip.sh -x 192.168.10.20 +short

# Alternative PTR notation
dig @ns.qip.sh -t PTR 20.10.168.192.in-addr.arpa +short

Example Output for Public IP (1.2.3.4)

zizzzezh.qip.sh.
z1z2z3z4.qip.sh.
ip-1-2-3-4.qip.sh.
1-2-3-4.qip.sh.
1.2.3.4.qip.sh.

Example Output for Private IP (192.168.10.20)

aobo.v.qip.sh.
vaobo.qip.sh.
va0b0.qip.sh.
ip-192-168-10-20.qip.sh.
192-168-10-20.qip.sh.
192.168.10.20.qip.sh.

All returned hostnames are valid and can be used with optional prefixes: - ui-aobo.v.qip.sh - dev.va0b0.qip.sh - customer1.app.192.168.10.20.qip.sh

Technical Implementation

DNS Server: CoreDNS (customized) Record Types: Primarily A records (IPv4) Response Time: Milliseconds Caching: Standard DNS caching applies

Wildcard Certificates

Certificate Overview

qip.sh provides free wildcard TLS certificates for private/non-routable subnet zones. These allow you to serve HTTPS without browser warnings and without managing your own PKI.

Certificate Lifecycle

• Issue & Renewal: Certificates are renewed every 60 days
• Validity: Valid for up to 90 days
• Update Requirement: Re-download and reload certificates periodically to stay current

Supported Zones

Each private subnet has a corresponding wildcard zone with a free certificate:

127.0.0.0/8    → *.i.qip.sh    (localhost)
10.0.0.0/8     → *.x.qip.sh    (10/8 private)
100.64.0.0/10  → *.c.qip.sh    (CGNAT)
192.168.0.0/16 → *.v.qip.sh    (192.168 private)
172.16.0.0/12  → *.p.qip.sh    (172.16-31 private)
198.18.0.0/16  → *.j.qip.sh    (benchmark)
198.19.0.0/16  → *.k.qip.sh    (benchmark)

Important: What Gets Certificates?

Only qip notation hostnames within a wildcard zone get certificate support.

Downloading Certificates

Option 1: PEM Format (Recommended)

Contains certificate, issuer chain, and private key in one file:

# Download for localhost zone
curl -fsSL https://qip.sh/cert/i.qip.sh.pem -o i.qip.sh.pem

# Download all zones at once
for zone in i x c v p j k; do
  curl -fsSL "https://qip.sh/cert/${zone}.qip.sh.pem" -o "${zone}.qip.sh.pem"
done

Advantages: - Single file for cert + key - Works with most servers - Easy to automate

Disadvantages: - Some servers prefer separate files

Option 2: ZIP Format

Contains separate .crt, .key, .issuer.crt, and .pem files:

# Download for localhost zone
curl -fsSL https://qip.sh/cert/i.qip.sh.zip -o i.qip.sh.zip

# Extract
unzip -o i.qip.sh.zip

Contents: - i.qip.sh.crt — Certificate + issuer chain - i.qip.sh.key — Private key - i.qip.sh.issuer.crt — Issuer certificate (convenience copy) - i.qip.sh.pem — Same as PEM download

Advantages: - Separate cert/key files - More control over file placement - Better for CI/automation

Disadvantages: - Multiple files to manage

Checking Certificate Status

# Check issue and expiry dates
curl --head https://qip.sh/cert/i.qip.sh.pem

# Example output:
# HTTP/2 200
# expires: Tue, 17 Mar 2026 20:59:12 GMT       ← Expiry date
# last-modified: Wed, 17 Dec 2025 20:59:12 GMT ← Issue date

Certificate File Locations by Zone

Certificate Authority

All qip.sh certificates are issued by a trusted certificate authority and are valid for all browsers and clients without warnings.

Installation Guides

Nginx (Recommended)

Nginx is the most straightforward server for qip.sh certificates because it supports PEM format directly.

Setup (PEM-based)

# 1. Create certificates directory
sudo mkdir -p /etc/nginx/certs

# 2. Download certificate
sudo curl -fsSL https://qip.sh/cert/i.qip.sh.pem -o /etc/nginx/certs/i.qip.sh.pem

# 3. Set permissions
sudo chmod 600 /etc/nginx/certs/i.qip.sh.pem

Configuration

# /etc/nginx/sites-available/qip-localhost
server {
    listen 443 ssl http2;
    server_name *.i.qip.sh;

    # qip.sh certificate (PEM includes cert + key)
    ssl_certificate     /etc/nginx/certs/i.qip.sh.pem;
    ssl_certificate_key /etc/nginx/certs/i.qip.sh.pem;

    # SSL best practices
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    # Proxy to your backend service
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    server_name *.i.qip.sh;
    return 301 https://$host$request_uri;
}

Verification

# Test configuration
sudo nginx -t

# Reload Nginx
sudo nginx -s reload

# Test HTTPS
curl -k https://app.i.qip.sh

Automatic Certificate Updates

#!/bin/bash
# /usr/local/bin/qip-update-certs.sh

CERT_DIR="/etc/nginx/certs"
ZONES=(i x c v p j k)

for zone in "${ZONES[@]}"; do
    curl -fsSL "https://qip.sh/cert/${zone}.qip.sh.pem" -o "$CERT_DIR/${zone}.qip.sh.pem"
done

nginx -t && nginx -s reload

Add to crontab for automatic renewal every 30 days:

crontab -e
# Add this line:
# 0 0 * * 0 /usr/local/bin/qip-update-certs.sh

Caddy

Caddy requires separate cert and key files. You can use the ZIP bundle or split the PEM.

Setup Option A: Using ZIP Bundle (Recommended)

# 1. Create certificates directory
mkdir -p /etc/caddy/certs/i.qip.sh

# 2. Download and extract ZIP
curl -fsSL https://qip.sh/cert/i.qip.sh.zip -o /tmp/i.qip.sh.zip
unzip -o /tmp/i.qip.sh.zip -d /etc/caddy/certs/i.qip.sh

# 3. Set permissions
chmod 600 /etc/caddy/certs/i.qip.sh/*.key

Setup Option B: Using PEM (Split into cert/key)

# 1. Create certificates directory
mkdir -p /etc/caddy/certs

# 2. Download PEM
curl -fsSL https://qip.sh/cert/i.qip.sh.pem -o /etc/caddy/certs/i.qip.sh.pem

# 3. Extract private key
awk 'BEGIN{p=0} /BEGIN (RSA )?PRIVATE KEY/{p=1} p{print} /END (RSA )?PRIVATE KEY/{p=0}' \
  /etc/caddy/certs/i.qip.sh.pem > /etc/caddy/certs/i.qip.sh.key

# 4. Extract certificate + issuer
awk 'BEGIN{p=1} /BEGIN (RSA )?PRIVATE KEY/{p=0} p{print} /END (RSA )?PRIVATE KEY/{p=1}' \
  /etc/caddy/certs/i.qip.sh.pem > /etc/caddy/certs/i.qip.sh.crt

# 5. Set permissions
chmod 600 /etc/caddy/certs/i.qip.sh.key

Configuration (Option A: ZIP)

# /etc/caddy/Caddyfile
*.i.qip.sh {
    tls /etc/caddy/certs/i.qip.sh/i.qip.sh.crt /etc/caddy/certs/i.qip.sh/i.qip.sh.key
    reverse_proxy 127.0.0.1:3000
}

# For multiple zones
*.x.qip.sh {
    tls /etc/caddy/certs/x.qip.sh/x.qip.sh.crt /etc/caddy/certs/x.qip.sh/x.qip.sh.key
    reverse_proxy localhost:3001
}

Configuration (Option B: PEM-based)

*.i.qip.sh {
    tls /etc/caddy/certs/i.qip.sh.crt /etc/caddy/certs/i.qip.sh.key
    reverse_proxy 127.0.0.1:3000
}

Reload

caddy reload --config /etc/caddy/Caddyfile

Automatic Certificate Updates

#!/bin/bash
# /usr/local/bin/qip-update-caddy.sh

CERT_DIR="/etc/caddy/certs"
ZONES=(i x c v p j k)

for zone in "${ZONES[@]}"; do
    mkdir -p "$CERT_DIR/${zone}.qip.sh"
    curl -fsSL "https://qip.sh/cert/${zone}.qip.sh.zip" -o "/tmp/${zone}.qip.sh.zip"
    unzip -o "/tmp/${zone}.qip.sh.zip" -d "$CERT_DIR/${zone}.qip.sh"
    rm "/tmp/${zone}.qip.sh.zip"
done

caddy reload

Traefik

Traefik uses a file provider for static configuration and can watch for certificate changes dynamically.

Setup

# 1. Create certificates directory
mkdir -p /etc/traefik/certs/i.qip.sh

# 2. Download and extract ZIP (or split PEM)
curl -fsSL https://qip.sh/cert/i.qip.sh.zip -o /tmp/i.qip.sh.zip
unzip -o /tmp/i.qip.sh.zip -d /etc/traefik/certs/i.qip.sh

# 3. Set permissions
chmod 600 /etc/traefik/certs/i.qip.sh/*.key

Configuration

Static config (traefik.yml)

# /etc/traefik/traefik.yml
api:
  insecure: true

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

providers:
  file:
    filename: /etc/traefik/dynamic.yml
    watch: true
  docker:
    endpoint: unix:///var/run/docker.sock

Dynamic config (dynamic.yml)

# /etc/traefik/dynamic.yml
tls:
  certificates:
    - certFile: /etc/traefik/certs/i.qip.sh/i.qip.sh.crt
      keyFile: /etc/traefik/certs/i.qip.sh/i.qip.sh.key
    - certFile: /etc/traefik/certs/x.qip.sh/x.qip.sh.crt
      keyFile: /etc/traefik/certs/x.qip.sh/x.qip.sh.key

http:
  routers:
    localhost-app:
      rule: "HostRegexp(`{subdomain:.+}.i.qip.sh`)"
      service: local-backend
      entryPoints:
        - websecure
      tls: {}

    private-app:
      rule: "HostRegexp(`{subdomain:.+}.x.qip.sh`)"
      service: private-backend
      entryPoints:
        - websecure
      tls: {}

  services:
    local-backend:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:3000"

    private-backend:
      loadBalancer:
        servers:
          - url: "http://10.0.1.50:3000"

Docker Compose Example

version: '3.8'

services:
  traefik:
    image: traefik:latest
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/traefik:/etc/traefik
    command:
      - "--configFile=/etc/traefik/traefik.yml"

  app:
    image: myapp:latest
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.myapp.rule=HostRegexp(`{subdomain:.+}.i.qip.sh`)"
      - "traefik.http.routers.myapp.entrypoints=websecure"
      - "traefik.http.routers.myapp.tls=true"
      - "traefik.http.services.myapp.loadbalancer.server.port=3000"

Verification

# Test Traefik configuration
traefik --configFile=/etc/traefik/traefik.yml

Apache (httpd)

For Apache, you need to enable mod_ssl and use the PEM or separate cert/key files.

<VirtualHost *:443>
    ServerName *.i.qip.sh
    
    SSLEngine on
    SSLCertificateFile /etc/apache2/certs/i.qip.sh.crt
    SSLCertificateKeyFile /etc/apache2/certs/i.qip.sh.key
    
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:3000/
    ProxyPassReverse / http://127.0.0.1:3000/
</VirtualHost>

<VirtualHost *:80>
    ServerName *.i.qip.sh
    Redirect permanent / https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

Kubernetes (Ingress)

Using qip.sh with Kubernetes Ingress:

apiVersion: v1
kind: Secret
metadata:
  name: qip-i-cert
type: kubernetes.io/tls
data:
  tls.crt: <base64-encoded-cert>
  tls.key: <base64-encoded-key>
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: qip-ingress
spec:
  tls:
    - hosts:
        - "*.i.qip.sh"
      secretName: qip-i-cert
  rules:
    - host: "*.i.qip.sh"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: my-service
                port:
                  number: 3000

Or use cert from URL:

# Create secret from downloaded cert
kubectl create secret tls qip-i-cert \
  --cert=i.qip.sh.crt \
  --key=i.qip.sh.key \
  -n default

Advanced Usage

Reverse Lookup Automation

Script to get all qip.sh hostnames for an IP:

#!/bin/bash
# qip-lookup.sh - Get all qip.sh hostnames for an IP

IP="$1"

if [ -z "$IP" ]; then
    echo "Usage: $0 <IP-address>"
    exit 1
fi

echo "qip.sh hostnames for $IP:"
echo "=========================="

dig @ns.qip.sh -x "$IP" +short | sort

echo ""
echo "Pick a TLS-friendly one (*.zone format) for HTTPS."

Usage:

./qip-lookup.sh 192.168.10.20

DNS-over-HTTPS (DoH)

Query qip.sh via HTTPS for encrypted DNS resolution:

# Resolve hostname via DoH
curl -s -H 'Accept: application/dns-json' \
  'https://qip.sh/dns-query?name=app.i.qip.sh&type=A' | jq .Answer

Example output:

[
  {
    "name": "app.i.qip.sh.",
    "type": 1,
    "TTL": 3600,
    "data": "127.0.0.1"
  }
]

Useful for: - Restricted environments (UDP/53 blocked) - Privacy-focused setups - Building DNS clients - Container orchestration platforms

Bulk Certificate Download

Script to download all certificates at once:

#!/bin/bash
# qip-download-all-certs.sh

CERT_DIR="${1:-.}/qip-certs"
ZONES=(i x c v p j k)

mkdir -p "$CERT_DIR"

for zone in "${ZONES[@]}"; do
    echo "Downloading ${zone}.qip.sh..."
    curl -fsSL "https://qip.sh/cert/${zone}.qip.sh.pem" -o "$CERT_DIR/${zone}.qip.sh.pem"
    echo "  ✓ Downloaded"
done

echo "All certificates downloaded to: $CERT_DIR"

Usage:

./qip-download-all-certs.sh /etc/certs/qip

Dynamic Hostname Generation

Using qip.sh for ephemeral environments:

#!/bin/bash
# Create dynamic qip.sh hostname for container

IP="$1"
PREFIX="${2:-app}"
SERVICE="${3:-x}"  # Which zone: i, x, c, v, p, j, k

# Get encoded hostname for IP
ENCODED=$(dig @ns.qip.sh -x "$IP" +short | grep "\.${SERVICE}\.qip\.sh" | head -1 | sed 's/\.$//')

# Create prefixed hostname
HOSTNAME="${PREFIX}-${ENCODED}"

echo "$HOSTNAME"
# Usage: export APP_HOST=$(./gen-hostname.sh 10.0.1.50 app x)

Monitoring Certificate Expiry

Script to monitor certificate expiration:

#!/bin/bash
# qip-cert-monitor.sh - Alert when certificates are near expiry

ZONES=(i x c v p j k)
WARN_DAYS=7

for zone in "${ZONES[@]}"; do
    EXPIRES=$(curl --head https://qip.sh/cert/${zone}.qip.sh.pem 2>/dev/null | \
              grep -i expires | cut -d' ' -f2-)
    
    EXPIRES_EPOCH=$(date -d "$EXPIRES" +%s 2>/dev/null || date -jf "%a, %d %b %Y %H:%M:%S" "$EXPIRES" +%s)
    NOW_EPOCH=$(date +%s)
    DAYS_LEFT=$(( ($EXPIRES_EPOCH - $NOW_EPOCH) / 86400 ))
    
    if [ "$DAYS_LEFT" -lt "$WARN_DAYS" ]; then
        echo "⚠️  ${zone}.qip.sh certificate expires in $DAYS_LEFT days!"
    else
        echo "✓ ${zone}.qip.sh certificate expires in $DAYS_LEFT days"
    fi
done

API Reference

DNS Resolution

Endpoint: Standard DNS (port 53 and 5353) Server: ns.qip.sh

# Query A record
dig @ns.qip.sh app.i.qip.sh

# Query with short format
dig @ns.qip.sh app.i.qip.sh +short

Reverse Lookup (PTR)

# Get all qip.sh hostnames for an IP
dig @ns.qip.sh -x <IP-ADDRESS>

# Short format
dig @ns.qip.sh -x <IP-ADDRESS> +short

# Explicit PTR query
dig @ns.qip.sh -t PTR <IP-ADDRESS-REVERSED>.in-addr.arpa

DNS-over-HTTPS (DoH)

Endpoint: https://qip.sh/dns-query

Methods: GET, POST

Example:

curl 'https://qip.sh/dns-query?name=app.i.qip.sh&type=A'
curl 'https://qip.sh/dns-query?name=1.0.0.127.in-addr.arpa&type=PTR'

Response Format: application/dns-json (RFC 8427)

Certificate Download

Endpoints: - PEM: https://qip.sh/cert/<zone>.qip.sh.pem - ZIP: https://qip.sh/cert/<zone>.qip.sh.zip

Response Headers: - Content-Type — application/octet-stream - Expires — certificate expiry date - Last-Modified — certificate issue date

Rate Limiting

No official rate limits for normal usage. Service is designed for production use.

FAQ

How do I know which qip.sh zone to use?

Check your IP address first: - 127.x.x.x → use *.i.qip.sh (localhost) - 10.x.x.x → use *.x.qip.sh - 100.64.x.x - 100.127.x.x → use *.c.qip.sh (CGNAT) - 192.168.x.x → use *.v.qip.sh - 172.16.x.x - 172.31.x.x → use *.p.qip.sh - 198.18.x.x → use *.j.qip.sh - 198.19.x.x → use *.k.qip.sh

Use the reverse lookup feature to find all valid hostnames for your IP.

Can I use qip.sh for production?

Yes, absolutely. qip.sh is designed for production use in private networks. It’s suitable for: - Internal microservices - Home lab infrastructure - Kubernetes/Docker - IoT device UIs - Private SaaS applications

Do you log DNS queries?

qip.sh maintains minimal operational logs for service reliability and debugging. We do not correlate, sell, or share query data. Your privacy is important to us.

What happens if a certificate expires?

Simply re-download the latest certificate and reload your web server or reverse proxy. Certificates are automatically renewed every 60 days, so you can set up automated renewal scripts (cron jobs) to download fresh certificates regularly.

Can I share qip.sh certificates across multiple servers?

Yes. The wildcard certificates are designed to be shared across all servers/services using the same zone. For example, all services using *.i.qip.sh can share the same i.qip.sh.pem certificate.

How do I handle certificate renewal in Docker/Kubernetes?

Use a sidecar container or init container to download and mount certificates:

apiVersion: v1
kind: ConfigMap
metadata:
  name: qip-certs-init
data:
  download-certs.sh: |
    #!/bin/bash
    curl -fsSL https://qip.sh/cert/i.qip.sh.pem -o /certs/i.qip.sh.pem
    chmod 600 /certs/i.qip.sh.pem
---
apiVersion: v1
kind: Pod
metadata:
  name: app-with-qip
spec:
  initContainers:
    - name: fetch-certs
      image: curlimages/curl
      volumeMounts:
        - name: certs
          mountPath: /certs
        - name: scripts
          mountPath: /scripts
      command:
        - sh
        - /scripts/download-certs.sh
  containers:
    - name: app
      image: myapp:latest
      volumeMounts:
        - name: certs
          mountPath: /certs
          readOnly: true
  volumes:
    - name: certs
      emptyDir: {}
    - name: scripts
      configMap:
        name: qip-certs-init
        defaultMode: 0755

Does qip.sh work offline?

No. qip.sh is a cloud service that requires internet connectivity for DNS resolution. For offline usage, consider setting up your own DNS server or using /etc/hosts.

Can I use qip.sh with a load balancer?

Yes. qip.sh hostnames resolve to single IPs, but you can: 1. Put your load balancer at a qip.sh IP 2. Have the load balancer distribute traffic to multiple backends 3. Use prefixes to create multiple qip.sh hostnames for different services

How do I debug DNS resolution issues?

# Check DNS server response
dig @ns.qip.sh app.i.qip.sh

# Check with more details
dig @ns.qip.sh app.i.qip.sh +noall +answer

# Use nslookup
nslookup app.i.qip.sh ns.qip.sh

# Check via DoH
curl 'https://qip.sh/dns-query?name=app.i.qip.sh&type=A'

# Test connectivity
nc -zv ns.qip.sh 53

What’s the difference between qip.sh and nip.io?

Troubleshooting

DNS Resolution Not Working

Problem: dig app.i.qip.sh returns no results

Solutions:

1. Check DNS server

# Explicitly use qip.sh nameserver
dig @ns.qip.sh app.i.qip.sh +short

2. Verify hostname format

# Correct formats:
app.i.qip.sh           # ✓ Valid
app-i.qip.sh           # ✗ Wrong zone
app.127.0.0.1.qip.sh   # ✓ Valid (dot notation)

3. Test with nslookup

nslookup app.i.qip.sh ns.qip.sh

4. Check network connectivity

# Can you reach the DNS server?
nc -zv ns.qip.sh 53
ping -c 1 ns.qip.sh

Certificate Installation Errors

Problem: “certificate verify failed” or similar

Solutions:

1. Verify certificate is valid

curl --head https://qip.sh/cert/i.qip.sh.pem
# Should return 200

2. Check certificate path in config

# Nginx example - verify file exists
ls -la /etc/nginx/certs/i.qip.sh.pem

3. Verify certificate content

openssl x509 -in i.qip.sh.pem -text -noout

4. Check certificate and private key match

# Get modulus of certificate
openssl x509 -in i.qip.sh.pem -noout -modulus | openssl md5

# Get modulus of private key
openssl rsa -in i.qip.sh.pem -noout -modulus | openssl md5

# They should match

HTTPS Connection Issues

Problem: Browser shows “SSL certificate error” or “NET::ERR_CERT_AUTHORITY_INVALID”

Solutions:

1. Verify hostname matches certificate

# Certificate should cover *.i.qip.sh
openssl x509 -in i.qip.sh.pem -text -noout | grep -A1 "Subject Alternative"

2. Check TLS version

# Ensure TLS 1.2+
curl -TLSv1_2 https://app.i.qip.sh --cacert i.qip.sh.pem

3. Verify reverse proxy is serving correct certificate

# Test what certificate is being served
echo "" | openssl s_client -connect app.i.qip.sh:443

Certificate Expiry Issues

Problem: Certificate expired or expiring soon

Solutions:

1. Check expiry date

curl --head https://qip.sh/cert/i.qip.sh.pem | grep -i expires

2. Download latest certificate

curl -fsSL https://qip.sh/cert/i.qip.sh.pem -o i.qip.sh.pem

License & Attribution

Powered by CoreDNS

qip.sh is a free service designed for developers. For production deployments at scale or with specific compliance requirements, consider discussing custom arrangements.

Last Updated: December 2025
Version: 1.0