Just a heads up that services like these won't work behind security-aware DNS recursive resolvers (like OpenDNS) or routers (like Google Wifi) that block DNS rebinding attacks.
Are you sure? I think these dns names are deterministic, they never change, for example www.10.0.0.1.xip.io will always resolve to 10.0.0.1 - and I don't think there is a mode where a name could resolve to different ipv4 addresses at different times.
EDIT: I experimentally confirmed that opendns and google dns, which claim to block dns rebinding attacks, do not block xip.io or subdomains thereof
It depends on the implementation of the DNS rebinding protection.
I have just checked, and my pfSense firewall (which claims to block DNS rebinding) blocks local addresses from resolving through xip.io (tested with loopback and several RFC1918. All blocked, regardless of whether they match the subnet in use). External addresses (e.g. 1.1.1.1.xip.io) resolve fine.
We've used this before, and it seems to be catastrophically unreliable.We had development projects on a internal development reverse proxy that we wanted to specify with a name, and found that it quite often broke down. It could be their DNS relay, or some other network event, but at least once a week, it would simply timeout.
I would kill to be able to specify wildcards in /etc/hosts file. That seems to be the sweet-spot.
I've used ngrok in the past for exposing local projects but didn't like being time limited and then having someone try to sell me something. The setup I went with is I forward my local http servers port over an ssh tunnel to a local port listening on a gcompute VPS running apache with a virtualhost configured using mod_proxy to listen on a subdomain managed my cloudflare, cloudflare then takes care of the https/ssl certificates and your good to go!
This setup has been working better than ngrok for me, The only thing I miss is ngroks logging, but I haven't come accross anything I couldn't debug between apaches access.log and my local development console.
For anyone doing this more than once a day I really reccomend investing in building your own infastructure, even if you don't learn a thing or two at least your brushing up on a topic.
Thanks for the comment-
I haven't used Serveo personally, but it looks like a product that ticks pretty much all the boxes my setup goes for without all of the configuration-
And their not trying to sell me something
+1 for serveo
We ended up using ngrok for our development builds and while it's certainly a lot more setup (and it costs us money) I am pretty happy with the results and as a customer for that use case.
We sell a SaaS e2e testing product for large enterprises (clients like Microsoft/Wix/JPM etc) and this use case (serving the dev environment to the CI or between computers) was so common that we baked it into our CLI.
I agree. If you're using it for development within your company, you should just configure your own. There are a number of open source DNS resolvers (some mentioned in these comments) that can be configured to do this.
Personally I just set up (dev machine is always running some Debian or derivatives) Traefik as a reverse proxy and set up local dev websites/app with *.localhost. I don't bother adding localhost self-signed certs to FF though (never really could make it work anyway). Easier to click "yes, trust that certificate for that localhost subdomain).
I generally didn’t use xip.io in the browser bar, the use cases are more commonly putting the address in web forms for things that return a wildcard address but need to be a well-formed domain name. I’ve used xip.io for AWS security rules, CORS rules, Google API redirects, mobile app testing against a local server, stuff like that...
I know my corporate firewalls do not allow connections to bare ip addresses. This allows me to bypass that check for things I haven't assigned names to already.
this makes no sense -- all tcp connections are already to the "bare ip address". dns lookup happens independently of the ip connection. in the case of a browser, your browser asks the local resolver (or with doh, remote nameserver) what the ip is for a given domain, then connects to that ip. I suppose it's possible your network has some strange setup that pokes holes through the firewall based on dns requests, but that would be obscenely expensive both computationally and financially.
The simplest implementation of this would be to block all outbound traffic for all hosts by default, and allow only web traffic out through a proxy. Then for other specific services poke holes for specific src<->dst.
Interestingly enough, Plex is running something very similar to this to support SSL for all of their users. a-b-c-d.guid.plex.direct will resolve to a.b.c.d. (Where guid is replaced with a guid, without dashes.)
Quick PSA: You can do this yourself on cloudflare. I've got a sub-domain of my web site, "localhost.my.site". That resolves to localhost. I also added a wildcard, "*.localhost.my.site", which also resolves to localhost. It's pretty easy to do, and a handy trick. I figure some one probably turned this into a blog post, but this way you don't have to rely on some one else's stuff going down. I also use it for my local domain, cause I don't want to bother running a local DNS server.
xip.io runs a custom DNS server on the public Internet."
Is there a way to provide wildcard DNS without sending internal LAN IP addresses to a closed source "custom DNS server" over the public Internet?
Yes. If you are a djbdns^1 user, and you wanted all subdomains of xip.io to resolve to 10.0.0.1:
# Assuming _dnscache and _tinydns are the configuration folders and tinydns listens on 127.0.0.1
cat << eof > _tinydns/root/data
.xip.io.
&*.xip.io:127.0.0.1
=*.xip.io.:10.0.0.1
eof
cd _tinydns/root
make
cd -
echo 127.0.0.1 > _dnscache/root/servers/xip.io
If you are an unbound user, you can put dnscache in front of unbound:
https://en.wikipedia.org/wiki/DNS_rebinding
https://support.google.com/wifi/answer/9144137?hl=en