ip.addr.tools - construct domain names that resolve to any given IP address
192-0-2-1.ip.addr.tools and 192.0.2.1.ip.addr.tools resolve to 192.0.2.1
anything.at.all.203-0-113-1.ip.addr.tools resolves to 203.0.113.1
2001-db8--1.ip.addr.tools resolves to 2001:db8::1
this.too.2001-db8--1.ip.addr.tools resolves to 2001:db8::1
http[s]://self.ip.addr.tools redirects, resolves to your external IP
nsupdate -4 -v
> update add _acme-challenge.192-168-0-1.ip.addr.tools 60 TXT secret
For any IPv4 address a.b.c.d, the names (and all subdomains of) a-b-c-d.ip.addr.tools and a.b.c.d.ip.addr.tools will resolve to that IPv4 address.
Similarly for any IPv6 address, the name (and all subdomains of the name) produced by replacing every colon with a hyphen in any valid representation of that IPv6 address, then prepending that string to ".ip.addr.tools", will resolve to that IPv6 address.
self.ip.addr.tools is a helper HTTP(S) service that redirects to the domain name which resolves to your external IPv4 address. self6 can be used instead to resolve to your external IPv6 address.
It is possible to obtain TLS certificates for these domain names from certificate authorities supporting the ACME protocol, such as Let's Encrypt.
RFC 2136 dynamic updates can be used to complete a dns-01 challenge. These updates are limited to adding and deleting TXT records to "_acme-challenge" subdomains. Anyone can make such updates to names which resolve to private IP addresses. In order to make such an update to a name which resolves to a public IP address (like your external IP address), the update request must use TCP (not UDP) and must come from the IP address corresponding to the name being updated. In other words, you can't make updates to domain names which resolve to public IP addresses other than yours.
When making an update to the name which resolves to your public IPv4 address, make sure the request is made over IPv4. The same goes for IPv6. The nsupdate utility provides "-4" and "-6" options to force IPv4 or IPv6 (as well as "-v" to force TCP).
TXT records added via RFC 2136 updates are automatically removed after a few minutes.
TSIG is not required. However, if your RFC 2136 client requires TSIG, use the algorithm, key name and secret provided below.
TSIG key algorithm: HMAC-SHA1
TSIG key name: ip.addr.tools.
TSIG secret: ipL40QrEy8cSwmP6OqCihGlYNmE=
Certificates have been successfully issued using certbot with the certbot-dns-rfc2136 plugin, as well as in pfSense using the ACME package.
dnscheck.tools - test for DNS leaks, DNSSEC validation, and more
info.addr.tools - view low-level identifying data for IP addresses and domain names
On reddit, u/dnschecktool