๐ชถ Overview
Fioness is a free subdomain service running on Cloudflare Workers. Claim up to 3 subdomains on shi-n.ing and point them using any standard DNS record type โ no account required.
- Free forever โ 3 subdomains per account, no payment required
- Instant activation โ live in under a second
- Full DNS support โ A, AAAA, CNAME, MX, SPF, DKIM, DMARC, TXT, CAA, SRV, NS, PTR and more
- Secure โ HSTS mandatory for .ing TLDs, optional TOTP 2FA on accounts
- Anonymous-first โ claim without an account, link to one later
Claiming a Subdomain
Visit get.shi-n.ing to claim. No account needed.
Enter a name
Lowercase letters, numbers, hyphens. Blocked names (brands, infrastructure) cannot be claimed.
Choose a DNS record type
CNAME, A, AAAA, MX, SPF, DKIM, DMARC, TXT, CAA, SRV, NS, or PTR โ all supported.
Enter the record value
The form shows the correct format per type. For CNAME enter a hostname; for A enter an IPv4 address.
Click Claim
Active in ~20โ40 ms. The Worker starts proxying traffic immediately.
DNS Record Types โ Quick Reference
All DNS record type information is sourced from Cloudflare's DNS documentation. Each record has a maximum wire-format size of 4,096 bytes (RFC 1035). Multiple records with the same name and type must not exceed 8,192 characters combined.
| Type | Category | Purpose | Example value |
|---|---|---|---|
| A | IP resolution | Maps name โ IPv4 address | 203.0.113.42 |
| AAAA | IP resolution | Maps name โ IPv6 address | 2001:db8::1 |
| CNAME | IP resolution | Aliases name โ another hostname | mysite.com |
| MX | Specifies mail server | mail.mysite.com | |
| SPF | Email auth | Lists authorised sending servers | v=spf1 include:mysite.com ~all |
| DKIM | Email auth | Cryptographic email signing key | v=DKIM1; k=rsa; p=... |
| DMARC | Email auth | Policy for unauthenticated email | v=DMARC1; p=reject; rua=mailto:... |
| TXT | Specialized | Free-form text; verification tokens | my-verification-value |
| CAA | Specialized | Restricts certificate authorities | 0 issue "letsencrypt.org" |
| SRV | Specialized | Host & port for services (VOIP, XMPPโฆ) | 10 5 5060 sip.mysite.com |
| NS | Delegation | Nameserver for subdomain delegation | ns1.mysite.com |
| PTR | Reverse DNS | Maps IP back to hostname | myserver.mysite.com |
| SOA | Authority | Zone metadata; auto-managed by Cloudflare | automatic |
| DS / DNSKEY | DNSSEC | Cryptographic chain-of-trust | via CF DNSSEC setup |
| SVCB / HTTPS | Connection | Advertises HTTP/2 & HTTP/3 support | auto-generated by CF |
A & AAAA Records
A records map a name to one or more IPv4 addresses. AAAA records map to IPv6. These are the only record types that can be proxied through Cloudflare's CDN.
| Field | Notes |
|---|---|
| Name | Subdomain or zone apex (@). Labels max 63 chars; FQDN max 253 chars. |
| Address | Your origin server IP. Cannot be a Cloudflare IP. For AAAA, stored in canonical notation (e.g. fe80::0:0:1 โ fe80::1). |
| TTL | Cache duration. Proxied records default to Auto (300 s). DNS-only lets you customise. |
| Proxy | Proxied (โ) or DNS only. Only proxied records get Cloudflare CDN benefits. |
1.1 for 1.0.0.1 are not supported for A records.Example
| Type | Name | Value |
|---|---|---|
| A | you.shi-n.ing | 203.0.113.42 |
| AAAA | you.shi-n.ing | 2001:db8::1 |
CNAME Records
CNAME (Canonical Name) records alias one domain name to another. The final target in the chain must resolve to a valid A or AAAA record. Queries for other record types on the same name are not supported when using CNAME.
| Field | Notes |
|---|---|
| Name | The subdomain being configured. |
| Target | The hostname where traffic is directed (e.g. mysite.com or myapp.netlify.app). |
| TTL | Auto (300 s) when proxied. |
Cloudflare uses CNAME flattening to resolve the chain at the edge, returning the final IP directly โ improving performance and enabling CNAME at the zone apex.
Example
| Type | Name | Value |
|---|---|---|
| CNAME | you.shi-n.ing | mysite.com |
MX Records
A Mail Exchange (MX) record specifies which mail server is responsible for accepting email for a domain. Without an MX record, email to that domain cannot be delivered.
| Field | Notes |
|---|---|
| Name | The domain that receives email. |
| Mail server | Hostname of the mail server (must resolve to an A or AAAA record). |
| Priority | Lower number = higher priority. Multiple MX records are tried lowest-first. |
Example
| Type | Name | Value |
|---|---|---|
| MX | you.shi-n.ing | mail.mysite.com |
Email Authentication: SPF, DKIM, DMARC
These three records work together to prove email is legitimate and prevent your domain being used for spoofing. They are recommended even for domains that never send email โ set restrictive values to block abuse.
SPF โ Sender Policy Framework
Lists IP addresses and services authorised to send email on behalf of your domain. Receiving servers check this before accepting a message.
| Use case | Value |
|---|---|
| Google Workspace | v=spf1 include:_spf.google.com ~all |
| Custom server | v=spf1 ip4:203.0.113.1 ~all |
| No email sent | v=spf1 -all |
DKIM โ DomainKeys Identified Mail
Uses a public/private key pair. The private key signs outgoing email on your mail server; the public key is published in DNS so receivers can verify the signature.
| Field | Value |
|---|---|
| Name format | selector._domainkey (the selector is provided by your mail provider) |
| Value format | v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A... |
DMARC โ Domain-based Message Authentication
Instructs receiving mail servers what to do when SPF or DKIM checks fail, and where to send aggregate reports.
Policy (p=) | Effect |
|---|---|
none | Monitor only โ no action on failures. Good starting point. |
quarantine | Send failing messages to spam. |
reject | Reject failing messages outright. Strongest protection. |
v=DMARC1; p=reject; rua=mailto:dmarc@mysite.com; adkim=s; aspf=sp=none and monitor reports for a few weeks before moving to quarantine or reject.TXT Records
TXT (text) records store arbitrary text strings in DNS. They are commonly used for domain ownership verification before issuing SSL certificates, and as the underlying format for SPF, DKIM, and DMARC.
Content is one or more text strings in double quotes. Cloudflare adds quotes automatically if omitted when creating the record.
Example
| Type | Name | Value |
|---|---|---|
| TXT | you.shi-n.ing | google-site-verification=abc123xyz |
CAA Records
Certificate Authority Authorization (CAA) records specify which CAs may issue SSL/TLS certificates for your domain. This prevents rogue or misissued certificates.
| Tag | Meaning |
|---|---|
issue | Authorises CA to issue standard (non-wildcard) certificates |
issuewild | Authorises CA to issue wildcard certificates |
iodef | URL or email to report unauthorised issuance attempts |
0 issue "letsencrypt.org"
0 issuewild "sectigo.com"
0 iodef "mailto:security@mysite.com"SRV Records
Service (SRV) records specify the hostname and port for specific services such as SIP (VOIP), XMPP (messaging), and others that need DNS-based service discovery.
Record names use the format _service._proto.name (e.g. _xmpp._tcp.you.shi-n.ing). SRV records cannot be proxied.
| Field | Description |
|---|---|
| Priority | Lower = higher priority when multiple SRV records exist |
| Weight | Load-balancing weight among same-priority records |
| Port | TCP/UDP port the service listens on |
| Target | Hostname of the server |
In the Fioness value field, enter as: priority weight port hostname
10 5 5060 sip.mysite.comSVCB & HTTPS Records
Service Binding (SVCB) and HTTPS records let a client learn upfront how to connect to a server โ including whether to use HTTP/2 or HTTP/3 โ without an initial plaintext connection. This reduces latency and improves security.
If your domain has HTTP/2 or HTTP/3 enabled with Cloudflare's Universal SSL and proxied DNS records, Cloudflare generates HTTPS records automatically. You do not need to add them manually in most cases.
NS Records
Nameserver (NS) records indicate which DNS server is authoritative for a zone or subdomain. You only need to add NS records when delegating a subdomain to a different DNS provider than the parent zone.
Example (subdomain delegation)
| Type | Name | Value |
|---|---|---|
| NS | sub.you.shi-n.ing | ns1.mysite.com |
PTR Records
Pointer (PTR) records map an IP address back to a hostname โ the reverse of an A record. They live in reverse DNS zones (in-addr.arpa for IPv4, ip6.arpa for IPv6) and are used for reverse lookups (e.g. mail server identity checks).
PTR records are typically controlled by your hosting provider. You can use them in Fioness if you manage the reverse zone for your IP block.
Example
| Type | Name | Value |
|---|---|---|
| PTR | you.shi-n.ing | myserver.mysite.com |
SOA Records
The Start of Authority (SOA) record stores zone metadata: primary nameserver, admin email address, serial number, and cache TTLs. Every DNS zone has exactly one SOA record.
If you use Cloudflare as your authoritative DNS, you do not need to create an SOA record โ Cloudflare creates and maintains it automatically when you add the zone to your account.
DNSSEC โ DS & DNSKEY Records
DNSSEC uses cryptographic signatures to ensure DNS responses are authentic and tamper-proof. It creates a verifiable chain of trust from the root DNS servers down to individual records in your zone.
- DNSKEY records โ public cryptographic keys stored in your zone, used to verify signed records.
- DS records โ delegation signer records stored at the parent TLD registry, establishing the chain of trust from the parent to your zone.
How It Works
Cloudflare's wildcard DNS record catches all *.shi-n.ing requests and routes them to the Worker before reaching any origin.
Browser โ Cloudflare Edge โ Worker
โ
KV lookup: subdomain:yourname
โ
โโโโโโโโโโโโโโดโโโโโโโโโโโโโ
โ โ
Record found Not found
Reverse proxy โ โ 404 page
target destinationThe Worker injects HSTS headers on every response (mandatory for .ing TLDs on the HSTS preload list) and forwards the full URL path and query string to your configured target.
Domain Verification
After claiming, Fioness provides a TXT token you can add to your own DNS to prove you control the target. Add it at your DNS provider:
| Type | Name | Value |
|---|---|---|
| TXT | _fioness.you.shi-n.ing | fioness-verify=abc123โฆ |
Verification is optional but may be required for future features such as custom certificates.
Accounts
Claim anonymously with a browser token, or create an account to manage subdomains across devices. Account features:
- Manage subdomains from any device or browser
- Receive email confirmations and password reset links
- Enable TOTP two-factor authentication
- Same 3-subdomain limit as anonymous users
Passwords are hashed (SHA-256 + email salt) before storage. Sessions are 30-day bearer tokens in localStorage.
Two-Factor Authentication
TOTP-based 2FA per RFC 6238 โ works with Google Authenticator, Authy, 1Password, Bitwarden, and any TOTP app.
Go to Manage โ Account & Security
Click "Enable 2FA" to generate a QR code.
Scan the QR code
Open your authenticator app and scan, or manually enter the secret key.
Confirm with a code
Enter the 6-digit code to confirm. 2FA activates immediately.
Sign in with 2FA
Future logins require your authenticator code after the password.
Blocked Subdomain Names
Certain names are blocked to prevent abuse:
- Reserved (www, mail, api, get, etc.) โ infrastructure. Cannot be claimed.
- Brand / scam-risk (dhl, amazon, paypal, etc.) โ visitors are redirected to get.shi-n.ing to prevent phishing.
To suggest an addition, contact hi@shi-n.ing.