DNS Isolation for the editor.land Private Network
Mist provides DNS isolation and private network resolution for the Land Code
Editor. It creates a secure DNS sandbox that resolves all *.editor.land
domains locally to 127.0.0.1, ensuring all private network communication stays
local.
Mist is engineered to:
- Provide Private DNS Resolution: Operate a local DNS server authoritative
for the
editor.landzone, resolving all subdomains to localhost. - Enforce Forward Security: Implement a forward allowlist that only permits
DNS resolution to specific, trusted external domains (e.g.,
update.editor.land). - Support DNSSEC: Sign the
editor.landzone with ECDSA P-256 keys, providing cryptographic assurance of DNS responses. - Enable Sidecar Isolation: Allow Node.js sidecars (like
Cocoon) to use the local DNS server via a custom DNS override, ensuring they cannot reach arbitrary external hosts.
- Hickory DNS Server: Built on the high-performance Hickory DNS library (formerly Trust-DNS), providing a robust, async DNS server implementation.
- Authoritative Zone: Operates as an authoritative DNS server for
editor.land, resolving all subdomains (*.editor.land) to127.0.0.1for secure local communication. - Forward Security: Implements a strict allowlist for external DNS queries, preventing sidecars from reaching unauthorized external hosts by default.
- DNSSEC Support: Signs the authoritative zone with ECDSA P-256 keys, providing cryptographic integrity and authenticity for DNS responses.
- Dynamic Port Selection: Automatically selects an available port if the preferred port (5380) is unavailable, ensuring robust startup behavior.
- Async Runtime: Built on Tokio for efficient, non-blocking DNS query handling.
- Cross-Platform: Works on macOS, Linux, and Windows with consistent behavior.
Mist follows a layered architecture.
DNS queries from applications flow through the catalog, which handles zone lookups and forward allowlist enforcement.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Applications (Wind, Cocoon) β
β (DNS Queries) β
ββββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Mist DNS Server (127.0.0.1:PORT) β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β DNS Catalog β β
β β ββββββββββββββββββββββ ββββββββββββββββββββββββ β β
β β β Editor.land Zone β β Forward Allowlist β β β
β β β (Authoritative) β β (Restricted Access) β β β
β β β *.editor.land β β β update.editor.land β β β
β β β 127.0.0.1 β β β β β
β β ββββββββββββββββββββββ ββββββββββββββββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Hickory DNS Server Core (UDP + TCP) β
β - Request parsing and response construction β
β - Zone lookup and record matching β
β - DNSSEC signature verification β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
lib.rs: Main library entry point, exports public API and manages the DNS server state.server.rs: DNS server implementation using Hickory, handles UDP/TCP listeners and catalog management.zone.rs: DNS zone configuration foreditor.land, including record definitions and authority creation.resolver.rs: DNS resolver for use by other components, provides interface to the local DNS server.forward_security.rs: Forward allowlist management, restricts which external domains can be resolved.tests/integration.rs: Comprehensive integration tests for DNS server functionality.
Start the DNS server on a specific port (or 0 for auto-selection):
use Mist::start;
// Start on preferred port 5380
let port = Mist::start(5380)?;
// Or let the system select an available port
let port = Mist::start(0)?;
println!("DNS server running on 127.0.0.1:{}", port);Retrieve the current DNS server port:
use Mist::dns_port;
let port = dns_port();
println!("DNS server is on port: {}", port);Create a resolver that uses the local DNS server:
use Mist::resolver::{land_resolver, LandDnsResolver};
// Simple resolver
let port = Mist::dns_port();
let resolver = land_resolver(port);
// Or with explicit interface
let resolver = LandDnsResolver::new(port);Build a DNS catalog with authoritative zones:
use Mist::server::build_catalog;
let catalog = build_catalog(5380)?;All subdomains of editor.land resolve to 127.0.0.1:
code.editor.landβ127.0.0.1api.editor.landβ127.0.0.1*.editor.landβ127.0.0.1
Only allowlisted external domains can be resolved:
update.editor.land- For application updates
All other external queries are refused by default.
The editor.land zone is signed with ECDSA P-256 keys:
- DNSKEY records provide the public signing key
- RRSIG records provide cryptographic signatures
- Clients can verify the authenticity of DNS responses
Mist depends on the following crates:
hickory-server(0.24): DNS server implementationhickory-proto(0.24): DNS protocol implementationhickory-client(0.24): DNS client for resolversring(0.17): Cryptographic signing for DNSSECtokio(1.49): Async runtimeanyhow(1.0): Error handlingtracing(0.1): Logging and instrumentationonce_cell(1.21): Thread-safe lazy initializationportpicker(0.1.1): Random port selectionasync-trait(0.1): Async trait supportreqwest(0.13): HTTP client with DNS integration
Build the library:
cargo build --releaseRun all tests:
cargo testRun integration tests:
cargo test --test integrationRun with logging:
RUST_LOG=debug cargo testMist implements several security features:
- Private Network Isolation: All
editor.landdomains resolve to localhost, preventing any external network access for private services. - Forward Allowlist: External DNS queries are restricted to a trusted allowlist, preventing sidecars from accessing arbitrary external hosts.
- DNSSEC: Zone signing provides cryptographic assurance of DNS responses, preventing DNS spoofing attacks.
- Loopback Binding: The DNS server only binds to
127.0.0.1, preventing external access to the private DNS server.
Mist is integrated into the Land ecosystem:
- Mountain: Starts the DNS server during initialization and exposes the port
to other components via the
DnsPortmanaged state. - Air: Uses the DNS server for secure HTTP requests, configuring HTTP clients to use the local DNS resolver.
- SideCar: Spawns Node.js sidecars with DNS override configuration, ensuring all queries go through the local server.
- Cocoon: The Node.js extension host resolves
editor.landdomains via the local DNS server for gRPC communication with Mountain.
This project is licensed under Creative Commons CC0.
See the LICENSE file for details.
Stay updated with our progress! See
CHANGELOG.md for a
history of changes specific to Mist.
Code Editor Land is funded through the NGI0 Commons Fund, established by NLnet with financial support from the European Commission's Next Generation Internet programme, under grant agreement No. 101135429.
The project is operated by PlayForm, based in Sofia, Bulgaria.
PlayForm acts as the open-source steward for Code Editor Land under the NGI0 Commons Fund grant.
| Land | PlayForm | NLnet | NGI0 Commons Fund |
|---|---|---|---|
|
|
|
|
Project Maintainers: Source Open (Source/Open@Editor.Land) | GitHub Repository | Report an Issue | Security Policy
