Welcome to Mist! This element provides DNS isolation and private network resolution for the Land Code Editor. It creates a secure DNS sandbox that resolves all *.editor.land domains locally to 127.0.0.1, ensuring that all private network communication remains local and secure.

Mist is engineered to:

1. Provide Private DNS Resolution: Operate a local DNS server authoritative for the editor.land zone, resolving all subdomains to localhost for secure local communication.
2. Enforce Forward Security: Implement a forward allowlist that only permits DNS resolution to specific, trusted external domains (e.g., update.editor.land, cdn.crashlytics.com).
3. Support DNSSEC: Sign the editor.land zone with ECDSA P-256 keys for DNSSEC, providing cryptographic assurance of DNS responses.
4. Enable Sidecar Isolation: Allow Node.js sidecars (like Cocoon) to use the local DNS server via a custom DNS override, ensuring they cannot access arbitrary external hosts.

• Hickory DNS Server: Built on the high-performance Hickory DNS library (formerly Trust-DNS), providing a robust, async DNS server implementation.
• Authoritative Zone: Operates as an authoritative DNS server for editor.land, resolving all subdomains (*.editor.land) to 127.0.0.1 for secure local communication.
• Forward Security: Implements a strict allowlist for external DNS queries, preventing sidecars from reaching unauthorized external hosts by default.
• DNSSEC Support: Signs the authoritative zone with ECDSA P-256 keys, providing cryptographic integrity and authenticity for DNS responses.
• Dynamic Port Selection: Automatically selects an available port if the preferred port (5380) is unavailable, ensuring robust startup behavior.
• Async Runtime: Built on Tokio for efficient, non-blocking DNS query handling.
• Cross-Platform: Works on macOS, Linux, and Windows with consistent behavior.

Mist follows a layered architecture:

• lib.rs: Main library entry point, exports public API and manages the DNS server state.
• server.rs: DNS server implementation using Hickory, handles UDP/TCP listeners and catalog management.
• zone.rs: DNS zone configuration for editor.land, including record definitions and authority creation.
• resolver.rs: DNS resolver for use by other components, provides interface to the local DNS server.
• forward_security.rs: Forward allowlist management, restricts which external domains can be resolved.
• tests/integration.rs: Comprehensive integration tests for DNS server functionality.

Start the DNS server on a specific port (or 0 for auto-selection):

Retrieve the current DNS server port:

Create a resolver that uses the local DNS server:

Build a DNS catalog with authoritative zones:

All subdomains of editor.land resolve to 127.0.0.1:

• code.editor.land - 127.0.0.1
• api.editor.land - 127.0.0.1
• *.editor.land - 127.0.0.1

Only allowlisted external domains can be resolved:

• update.editor.land - For application updates
• cdn.crashlytics.com - For crash reporting

All other external queries are refused by default.

The editor.land zone is signed with ECDSA P-256 keys:

• DNSKEY records provide the public signing key
• RRSIG records provide cryptographic signatures
• Clients can verify the authenticity of DNS responses

Mist depends on the following crates:

• hickory-server (0.24): DNS server implementation
• hickory-proto (0.24): DNS protocol implementation
• hickory-client (0.24): DNS client for resolvers
• ring (0.17): Cryptographic signing for DNSSEC
• tokio (1.49): Async runtime
• anyhow (1.0): Error handling
• tracing (0.1): Logging and instrumentation
• once_cell (1.21): Thread-safe lazy initialization
• portpicker (0.1.1): Random port selection
• async-trait (0.1): Async trait support
• reqwest (0.13): HTTP client with DNS integration

Build the library:

Run all tests:

Run integration tests:

Run with logging:

Mist implements several security features:

1. Private Network Isolation: All editor.land domains resolve to localhost, preventing any external network access for private services.
2. Forward Allowlist: External DNS queries are restricted to a trusted allowlist, preventing sidecars from accessing arbitrary external hosts.
3. DNSSEC: Zone signing provides cryptographic assurance of DNS responses, preventing DNS spoofing attacks.
4. Loopback Binding: The DNS server only binds to 127.0.0.1, preventing external access to the private DNS server.

Mist is integrated into the Land ecosystem:

• Mountain: Starts the DNS server during application initialization and provides the port to other components via the DnsPort managed state.
• Air: Uses the DNS server for secure HTTP requests, configuring HTTP clients to use the local DNS resolver.
• SideCar: Spawns Node.js sidecars with DNS override configuration, ensuring all DNS queries go through the local server.
• Cocoon: The Node.js extension host can resolve editor.land domains via the local DNS server for gRPC communication with Mountain.

This project is licensed under the CC0 1.0 Universal license - see the LICENSE file for details.

Contributions are welcome! Please ensure:

1. All tests pass: cargo test
2. Code follows Rust style guidelines: cargo fmt
3. No clippy warnings: cargo clippy
4. Documentation is updated as needed

• Hickory DNS Team - For creating an excellent DNS library
• Trust-DNS Team - For the original implementation that Hickory builds upon
• Land Team - For the vision of a secure, private development environment