Any subdomain resolves to 127.0.0.1 by default. Embed a specific IP to override. Valid HTTPS included. No setup, no sign-up.
$ dig myapp.nar0.com +short
→
127.0.0.1
myapp.nar0.com → 127.0.0.1 default9-9-9-9.nar0.com → 9.9.9.9 dashed8.8.8.8.nar0.com → 8.8.8.8 dotted09090909.nar0.com → 9.9.9.9 hex2620-fe--fe.nar0.com → 2620:fe::fe IPv6myapp.8-8-4-4.nar0.com → 8.8.4.4 prefixeda.b.c.10-0-0-1.nar0.com → 10.0.0.1 deep subdomainAdd any prefix labels for virtual hosting, distinct TLS certs, or service naming. Nesting depth is unlimited.
Just use https://myapp.nar0.com - it resolves to 127.0.0.1 by default. Valid TLS, no self-signed certs, no browser warnings. OAuth callbacks, secure cookies, and service workers all work.
Multiple services on different local IPs? api.10-0-0-1.nar0.com and web.10-0-0-2.nar0.com each resolve to distinct addresses. No DNS config needed.
Automated tests that need DNS names for dynamic IPs. No DNS provider API calls, no propagation delays. The hostname encodes the IP directly.
Give each staging server a readable hostname like staging.10-0-1-50.nar0.com. No DNS records to manage when IPs change.
Valid Let's Encrypt cert for *.nar0.com. Real HTTPS to any IP with zero setup.
Localhost, LAN, Docker, Kubernetes. 127.0.0.1, 10.x, 172.16.x, 192.168.x all resolve.
Full IPv4 and IPv6. Dashed, dotted, and hex formats.
RFC 8484 DoH endpoint at /dns-query. GET and POST.
curl nar0.com/ip returns your public IP as plain text.
No sign-up, no API keys, no DNS records. The hostname is the configuration.
/dns-query?dns={base64url} DoH query (RFC 8484)/dns-query DoH with application/dns-message body/ip Your public IP as plain text/health Health checkWorks with any tool that does DNS - nginx, Traefik, Node.js, anything. Here's Caddy as an example:
# Caddyfile
myapp.nar0.com {
reverse_proxy localhost:3000
}
# Start Caddy
$ caddy run
# Open in browser - valid HTTPS, no cert setup
$ open https://myapp.nar0.commyapp.nar0.com resolves to 127.0.0.1 by default. Any subdomain without an IP works the same way.
A free DNS and TLS service for developers. myapp.nar0.com resolves to 127.0.0.1 with a valid HTTPS certificate. Embed any IP to override.
Just use https://myapp.nar0.com. Any subdomain without an embedded IP defaults to 127.0.0.1. The wildcard TLS cert for *.nar0.com provides valid HTTPS. No self-signed certs, no browser warnings. Or embed the IP explicitly: https://myapp.127-0-0-1.nar0.com.
Yes. Loopback (127.0.0.1), RFC 1918 (10.x, 172.16.x, 192.168.x), and other private ranges all resolve. The IP is deterministic from the hostname, so there is no DNS rebinding risk.
No. nar0.com only handles DNS resolution. When you visit https://myapp.nar0.com, your browser queries DNS once, gets back 127.0.0.1, then connects directly to that IP. No application traffic passes through nar0.com servers.
Yes. No sign-up, no API keys, no rate limits beyond abuse prevention.
IPv6 support, DNS-over-HTTPS (RFC 8484), PTR reverse lookups, hex format, and a public IP endpoint at curl nar0.com/ip.
Yes. nar0.com does not log DNS queries, runs no analytics on DNS traffic, and stores no user data. The service is completely stateless - it extracts the IP from the hostname and returns it. Nothing is recorded.
Email abuse[at]nar0.com. We respond to all reports within 24 hours.
DNS queries require internet. For offline resilience, add a local fallback in your resolver:
Pi-hole: Local DNS Records → *.nar0.com → 127.0.0.1
AdGuard Home: DNS rewrites → *.nar0.com → 127.0.0.1
Unbound: local-zone: "nar0.com" redirect + local-data: "nar0.com A 127.0.0.1"