DNS Isolation for the editor.land Private Network
Development environments that communicate over the public internet expose services to unnecessary risk. DNS resolution for local services goes through external resolvers, leaking information about the development setup.
"Nothing leaks to the public internet. A clean network boundary between the editor and the outside world."
Welcome to Mist! This element provides DNS isolation and private network
resolution for the Land Code Editor. It creates a secure DNS sandbox that
resolves all *.editor.land domains locally to 127.0.0.1, ensuring that all
private network communication remains local and secure.
Mist is engineered to:
- Provide Private DNS Resolution: Operate a local DNS server authoritative
for the
editor.landzone, resolving all subdomains to localhost for secure local communication. - Enforce Forward Security: Implement a forward allowlist that only
permits DNS resolution to specific, trusted external domains (e.g.,
update.editor.land). - Support DNSSEC: Sign the
editor.landzone with ECDSA P-256 keys for DNSSEC, providing cryptographic assurance of DNS responses. - Enable Sidecar Isolation: Allow Node.js sidecars (like
Cocoon) to use the local DNS server via a custom DNS override, ensuring they cannot access arbitrary external hosts.
- Hickory DNS Server: Built on the high-performance Hickory DNS library (formerly Trust-DNS), providing a robust, async DNS server implementation.
- Authoritative Zone: Operates as an authoritative DNS server for
editor.land, resolving all subdomains (*.editor.land) to127.0.0.1for secure local communication. - Forward Security: Implements a strict allowlist for external DNS queries, preventing sidecars from reaching unauthorized external hosts by default.
- DNSSEC Support: Signs the authoritative zone with ECDSA P-256 keys, providing cryptographic integrity and authenticity for DNS responses.
- Dynamic Port Selection: Automatically selects an available port if the preferred port (5380) is unavailable, ensuring robust startup behavior.
- Async Runtime: Built on Tokio for efficient, non-blocking DNS query handling.
- Cross-Platform: Works on macOS, Linux, and Windows with consistent behavior.
Mist follows a layered architecture:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Applications (Wind, Cocoon) β
β (DNS Queries) β
ββββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Mist DNS Server (127.0.0.1:PORT) β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β DNS Catalog β β
β β ββββββββββββββββββββββ ββββββββββββββββββββββββ β β
β β β Editor.land Zone β β Forward Allowlist β β β
β β β (Authoritative) β β (Restricted Access) β β β
β β β *.editor.land β β β update.editor.land β β β
β β β 127.0.0.1 β β β β β
β β ββββββββββββββββββββββ ββββββββββββββββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Hickory DNS Server Core (UDP + TCP) β
β - Request parsing and response construction β
β - Zone lookup and record matching β
β - DNSSEC signature verification β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
lib.rs: Main library entry point, exports public API and manages the DNS server state.server.rs: DNS server implementation using Hickory, handles UDP/TCP listeners and catalog management.zone.rs: DNS zone configuration foreditor.land, including record definitions and authority creation.resolver.rs: DNS resolver for use by other components, provides interface to the local DNS server.forward_security.rs: Forward allowlist management, restricts which external domains can be resolved.tests/integration.rs: Comprehensive integration tests for DNS server functionality.
All subdomains of editor.land resolve to 127.0.0.1:
code.editor.landβ127.0.0.1api.editor.landβ127.0.0.1*.editor.landβ127.0.0.1
Only allowlisted external domains can be resolved:
update.editor.landβ For application updates
All other external queries are refused by default.
The editor.land zone is signed with ECDSA P-256 keys:
- DNSKEY records provide the public signing key
- RRSIG records provide cryptographic signatures
- Clients can verify the authenticity of DNS responses
use Mist::start;
// Start on preferred port 5380
let Port = Mist::start(5380)?;
// Or let the system select an available port
let Port = Mist::start(0)?;
println!("DNS server running on 127.0.0.1:{}", Port);use Mist::dns_port;
let Port = dns_port();
println!("DNS server is on port: {}", Port);use Mist::resolver::{land_resolver, LandDnsResolver};
// Simple resolver
let Port = Mist::dns_port();
let Resolver = land_resolver(Port);
// Or with explicit interface
let Resolver = LandDnsResolver::new(Port);use Mist::server::build_catalog;
let Catalog = build_catalog(5380)?;hickory-server(0.24): DNS server implementationhickory-proto(0.24): DNS protocol implementationhickory-client(0.24): DNS client for resolversring(0.17): Cryptographic signing for DNSSECtokio(1.49): Async runtimeanyhow(1.0): Error handlingtracing(0.1): Logging and instrumentationonce_cell(1.21): Thread-safe lazy initializationportpicker(0.1.1): Random port selectionasync-trait(0.1): Async trait supportreqwest(0.13): HTTP client with DNS integration
- Private Network Isolation: All
editor.landdomains resolve to localhost, preventing any external network access for private services. - Forward Allowlist: External DNS queries are restricted to a trusted allowlist, preventing sidecars from accessing arbitrary external hosts.
- DNSSEC: Zone signing provides cryptographic assurance of DNS responses, preventing DNS spoofing attacks.
- Loopback Binding: The DNS server only binds to
127.0.0.1, preventing external access to the private DNS server.
Mist is integrated into the Land ecosystem:
- Mountain: Starts the DNS server during application initialization and
provides the port to other components via the
DnsPortmanaged state. - Air: Uses the DNS server for secure HTTP requests, configuring HTTP clients to use the local DNS resolver.
- SideCar: Spawns Node.js sidecars with DNS override configuration, ensuring all DNS queries go through the local server.
- Cocoon: The Node.js extension host can resolve
editor.landdomains via the local DNS server for gRPC communication with Mountain.
# Build the library
cargo build --release
# Run all tests
cargo test
# Run integration tests
cargo test --test integration
# Run with logging
RUST_LOG=debug cargo testThis project is released into the public domain under the Creative Commons CC0
Universal license. You are free to use, modify, distribute, and build upon
this work for any purpose, without any restrictions. For the full legal text,
see the LICENSE file.
Stay updated with our progress! See
CHANGELOG.md for a
history of changes specific to Mist.
Mist is a core element of the Land ecosystem. This project is funded through NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet program. Learn more at the NLnet project page.
The project is operated by PlayForm, based in Sofia, Bulgaria.
PlayForm acts as the open-source steward for Code Editor Land under the NGI0 Commons Fund grant.
| Land | PlayForm | NLnet | NGI0 Commons Fund |
|---|---|---|---|
|
|
|
|
Project Maintainers: Source Open (Source/Open@Editor.Land) | GitHub Repository | Report an Issue | Security Policy
