Mist

🌫️

+

Land

🏞️

+

---

Mist 🌫️ DNS Isolation for the editor.land Private Network

Welcome to Mist! This element provides DNS isolation and private network resolution for the Land Code Editor. It creates a secure DNS sandbox that resolves all *.editor.land domains locally to 127.0.0.1, ensuring that all private network communication remains local and secure.

Mist is engineered to:

1. Provide Private DNS Resolution: Operate a local DNS server authoritative for the editor.land zone, resolving all subdomains to localhost for secure local communication.
2. Enforce Forward Security: Implement a forward allowlist that only permits DNS resolution to specific, trusted external domains (e.g., update.editor.land, cdn.crashlytics.com).
3. Support DNSSEC: Sign the editor.land zone with ECDSA P-256 keys for DNSSEC, providing cryptographic assurance of DNS responses.
4. Enable Sidecar Isolation: Allow Node.js sidecars (like Cocoon) to use the local DNS server via a custom DNS override, ensuring they cannot access arbitrary external hosts.

---

Key Features 🌫️

• Hickory DNS Server: Built on the high-performance Hickory DNS library (formerly Trust-DNS), providing a robust, async DNS server implementation.
• Authoritative Zone: Operates as an authoritative DNS server for editor.land, resolving all subdomains (*.editor.land) to 127.0.0.1 for secure local communication.
• Forward Security: Implements a strict allowlist for external DNS queries, preventing sidecars from reaching unauthorized external hosts by default.
• DNSSEC Support: Signs the authoritative zone with ECDSA P-256 keys, providing cryptographic integrity and authenticity for DNS responses.
• Dynamic Port Selection: Automatically selects an available port if the preferred port (5380) is unavailable, ensuring robust startup behavior.
• Async Runtime: Built on Tokio for efficient, non-blocking DNS query handling.
• Cross-Platform: Works on macOS, Linux, and Windows with consistent behavior.

---

Architecture 🏗️

Mist follows a layered architecture:

┌─────────────────────────────────────────────────────────────────┐
│                     Applications (Wind, Cocoon)                  │
│                        (DNS Queries)                            │
└────────────────────────────────────┬────────────────────────────┘
                                     │
                                     ▼
┌─────────────────────────────────────────────────────────────────┐
│                     Mist DNS Server (127.0.0.1:PORT)             │
│  ┌───────────────────────────────────────────────────────────┐  │
│  │                   DNS Catalog                             │  │
│  │  ┌────────────────────┐  ┌──────────────────────┐        │  │
│  │  │ Editor.land Zone   │  │ Forward Allowlist    │        │  │
│  │  │ (Authoritative)    │  │ (Restricted Access) │        │  │
│  │  │ *.editor.land →    │  │ update.editor.land  │        │  │
│  │  │ 127.0.0.1          │  │ cdn.crashlytics.com  │        │  │
│  │  └────────────────────┘  └──────────────────────┘        │  │
│  └───────────────────────────────────────────────────────────┘  │
│                                                               │
│  Hickory DNS Server Core (UDP + TCP)                          │
│  - Request parsing and response construction                  │
│  - Zone lookup and record matching                             │
│  - DNSSEC signature verification                               │
└─────────────────────────────────────────────────────────────────┘

Components

• lib.rs: Main library entry point, exports public API and manages the DNS server state.
• server.rs: DNS server implementation using Hickory, handles UDP/TCP listeners and catalog management.
• zone.rs: DNS zone configuration for editor.land, including record definitions and authority creation.
• resolver.rs: DNS resolver for use by other components, provides interface to the local DNS server.
• forward_security.rs: Forward allowlist management, restricts which external domains can be resolved.
• tests/integration.rs: Comprehensive integration tests for DNS server functionality.

---

Usage 🔧

Starting the DNS Server

Start the DNS server on a specific port (or 0 for auto-selection):

use Mist::start;

// Start on preferred port 5380
let port = Mist::start(5380)?;

// Or let the system select an available port
let port = Mist::start(0)?;

println!("DNS server running on 127.0.0.1:{}", port);

Getting the DNS Server Port

Retrieve the current DNS server port:

use Mist::dns_port;

let port = dns_port();
println!("DNS server is on port: {}", port);

Creating a DNS Resolver

Create a resolver that uses the local DNS server:

use Mist::resolver::{land_resolver, LandDnsResolver};

// Simple resolver
let port = Mist::dns_port();
let resolver = land_resolver(port);

// Or with explicit interface
let resolver = LandDnsResolver::new(port);

Building a DNS Catalog

Build a DNS catalog with authoritative zones:

use Mist::server::build_catalog;

let catalog = build_catalog(5380)?;

---

DNS Zone Configuration 📋

Authoritative Zone: editor.land

All subdomains of editor.land resolve to 127.0.0.1:

• code.editor.land → 127.0.0.1
• api.editor.land → 127.0.0.1
• *.editor.land → 127.0.0.1

Forward Allowlist

Only allowlisted external domains can be resolved:

• update.editor.land - For application updates
• cdn.crashlytics.com - For crash reporting

All other external queries are refused by default.

DNSSEC

The editor.land zone is signed with ECDSA P-256 keys:

• DNSKEY records provide the public signing key
• RRSIG records provide cryptographic signatures
• Clients can verify the authenticity of DNS responses

---

Dependencies 📦

Mist depends on the following crates:

• hickory-server (0.24): DNS server implementation
• hickory-proto (0.24): DNS protocol implementation
• hickory-client (0.24): DNS client for resolvers
• ring (0.17): Cryptographic signing for DNSSEC
• tokio (1.49): Async runtime
• anyhow (1.0): Error handling
• tracing (0.1): Logging and instrumentation
• once_cell (1.21): Thread-safe lazy initialization
• portpicker (0.1.1): Random port selection
• async-trait (0.1): Async trait support
• reqwest (0.13): HTTP client with DNS integration

---

Building & Testing 🔨

Building

Build the library:

cargo build --release

Running Tests

Run all tests:

cargo test

Run integration tests:

cargo test --test integration

Run with logging:

RUST_LOG=debug cargo test

---

Security Considerations 🔒

Mist implements several security features:

1. Private Network Isolation: All editor.land domains resolve to localhost, preventing any external network access for private services.
2. Forward Allowlist: External DNS queries are restricted to a trusted allowlist, preventing sidecars from accessing arbitrary external hosts.
3. DNSSEC: Zone signing provides cryptographic assurance of DNS responses, preventing DNS spoofing attacks.
4. Loopback Binding: The DNS server only binds to 127.0.0.1, preventing external access to the private DNS server.

---

Integration with Land 🔗

Mist is integrated into the Land ecosystem:

• Mountain: Starts the DNS server during application initialization and provides the port to other components via the DnsPort managed state.
• Air: Uses the DNS server for secure HTTP requests, configuring HTTP clients to use the local DNS resolver.
• SideCar: Spawns Node.js sidecars with DNS override configuration, ensuring all DNS queries go through the local server.
• Cocoon: The Node.js extension host can resolve editor.land domains via the local DNS server for gRPC communication with Mountain.

---

License 📜

This project is licensed under the CC0 1.0 Universal license - see the LICENSE file for details.

---

Contributing 🤝

Contributions are welcome! Please ensure:

1. All tests pass: cargo test
2. Code follows Rust style guidelines: cargo fmt
3. No clippy warnings: cargo clippy
4. Documentation is updated as needed

---

Acknowledgments 🙏

• Hickory DNS Team - For creating an excellent DNS library
• Trust-DNS Team - For the original implementation that Hickory builds upon
• Land Team - For the vision of a secure, private development environment