DNS Isolation for the land.playform.cloud Private Network
Development environments that communicate over the public internet expose services to unnecessary risk. DNS resolution for local services goes through external resolvers, leaking information about the development setup.
"Nothing leaks to the public internet. A clean network boundary between the editor and the outside world."
Welcome to Mist! This element provides DNS isolation and private network
resolution for the Land Code Editor. It creates a secure DNS sandbox that
resolves all *.land.playform.cloud domains locally to 127.0.0.1, ensuring
that all private network communication remains local and secure.
Mist is engineered to:
- Provide Private DNS Resolution: Operate a local DNS server authoritative
for the
land.playform.cloudzone, resolving all subdomains to localhost for secure local communication. - Enforce Forward Security: Implement a forward allowlist that only
permits DNS resolution to specific, trusted external domains (e.g.,
update.land.playform.cloud). - Support DNSSEC: Sign the
land.playform.cloudzone with ECDSA P-256 keys for DNSSEC, providing cryptographic assurance of DNS responses. - Enable Sidecar Isolation: Allow Node.js sidecars (like
Cocoon) to use the local DNS server via a custom DNS override, ensuring they cannot access arbitrary external hosts.
- Hickory DNS Server: Built on the high-performance Hickory DNS library (formerly Trust-DNS), providing a robust, async DNS server implementation.
- Authoritative Zone: Operates as an authoritative DNS server for
land.playform.cloud, resolving all subdomains (*.land.playform.cloud) to127.0.0.1for secure local communication. - Forward Security: Implements a strict allowlist for external DNS queries, preventing sidecars from reaching unauthorized external hosts by default.
- DNSSEC Support: Signs the authoritative zone with ECDSA P-256 keys, providing cryptographic integrity and authenticity for DNS responses.
- Dynamic Port Selection: Automatically selects an available port if the preferred port (5380) is unavailable, ensuring robust startup behavior.
- Async Runtime: Built on Tokio for efficient, non-blocking DNS query handling.
- Cross-Platform: Works on macOS, Linux, and Windows with consistent behavior.
Mist follows a layered architecture:
graph LR
classDef mist fill:#e0f0ff,stroke:#2471a3,stroke-width:2px,color:#001030;
classDef zone fill:#d4f5d4,stroke:#27ae60,stroke-width:1px,color:#0a3a0a;
classDef forward fill:#fff3c0,stroke:#f39c12,stroke-width:1px,stroke-dasharray:5 5,color:#5a3e00;
classDef consumer fill:#f0d0ff,stroke:#9b59b6,stroke-width:1px,color:#2c0050;
classDef external fill:#ebebeb,stroke:#888,stroke-width:1px,stroke-dasharray:5 5,color:#333;
subgraph CONSUMERS["Land Components - DNS Clients"]
Mountain["Mountain ⛰️\nstarts Mist, reads DnsPort"]:::consumer
Cocoon["Cocoon 🦋\nNode.js sidecar (DNS override)"]:::consumer
Air["Air 🪁\nHTTP client with custom DNS"]:::consumer
end
subgraph MIST["Mist 🌫️ - Local DNS Server (127.0.0.1:PORT)"]
direction TB
Server["Server.rs - Hickory DNS\nUDP + TCP listeners"]:::mist
Zone["Zone.rs - Authoritative Zone\n*.land.playform.cloud → 127.0.0.1\nDNSSEC signed ECDSA P-256"]:::zone
Forward["ForwardSecurity.rs - Allowlist\nupdate.land.playform.cloud only"]:::forward
Resolver["Resolver.rs - LandDnsResolver"]:::mist
WSTransport["WebSocket.rs - DNS data stream"]:::mist
Server --> Zone
Server --> Forward
Server --> Resolver
Resolver --- WSTransport
end
subgraph INTERNET["External ☁️"]
UpdateServer["update.land.playform.cloud\nallowlisted only"]:::external
end
Mountain -- spawns + DnsPort --> Server
Cocoon -- DNS queries --> Server
Air -- DNS queries --> Resolver
Forward -- forwards allowed --> UpdateServer
| File | Role |
|---|---|
lib.rs |
Main library entry point, exports public API and manages DNS server state. |
Server.rs |
DNS server implementation using Hickory, handles UDP/TCP listeners and catalog management. |
Zone.rs |
DNS zone configuration for land.playform.cloud, including record definitions and authority creation. |
Resolver.rs |
DNS resolver for use by other components, provides interface to the local DNS server. |
ForwardSecurity.rs |
Forward allowlist management, restricts which external domains can be resolved. |
WebSocket.rs |
WebSocket transport layer for real-time DNS data streaming. |
All subdomains of land.playform.cloud resolve to 127.0.0.1:
code.land.playform.cloud→127.0.0.1api.land.playform.cloud→127.0.0.1*.land.playform.cloud→127.0.0.1
Only allowlisted external domains can be resolved:
update.land.playform.cloud- For application updates
All other external queries are refused by default.
The land.playform.cloud zone is signed with ECDSA P-256 keys:
- DNSKEY records provide the public signing key
- RRSIG records provide cryptographic signatures
- Clients can verify the authenticity of DNS responses
use Mist::start;
// Start on preferred port 5380
let Port = Mist::start(5380)?;
// Or let the system select an available port
let Port = Mist::start(0)?;
println!("DNS server running on 127.0.0.1:{}", Port);use Mist::dns_port;
let Port = dns_port();
println!("DNS server is on port: {}", Port);use Mist::resolver::{land_resolver, LandDnsResolver};
// Simple resolver
let Port = Mist::dns_port();
let Resolver = land_resolver(Port);
// Or with explicit interface
let Resolver = LandDnsResolver::new(Port);use Mist::server::build_catalog;
let Catalog = build_catalog(5380)?;hickory-server(0.24): DNS server implementationhickory-proto(0.24): DNS protocol implementationhickory-client(0.24): DNS client for resolversring(0.17): Cryptographic signing for DNSSECtokio(1.49): Async runtimeanyhow(1.0): Error handlingtracing(0.1): Logging and instrumentationonce_cell(1.21): Thread-safe lazy initializationportpicker(0.1.1): Random port selectionasync-trait(0.1): Async trait supportreqwest(0.13): HTTP client with DNS integration
- Private Network Isolation: All
land.playform.clouddomains resolve to localhost, preventing any external network access for private services. - Forward Allowlist: External DNS queries are restricted to a trusted allowlist, preventing sidecars from accessing arbitrary external hosts.
- DNSSEC: Zone signing provides cryptographic assurance of DNS responses, preventing DNS spoofing attacks.
- Loopback Binding: The DNS server only binds to
127.0.0.1, preventing external access to the private DNS server.
Mist is integrated into the Land ecosystem:
- Mountain: Starts the DNS server during application initialization and
provides the port to other components via the
DnsPortmanaged state. - Air: Uses the DNS server for secure HTTP requests, configuring HTTP clients to use the local DNS resolver.
- SideCar: Spawns Node.js sidecars with DNS override configuration, ensuring all DNS queries go through the local server.
- Cocoon: The Node.js extension host can resolve
land.playform.clouddomains via the local DNS server for gRPC communication with Mountain.
# Build the library
cargo build --release
# Run all tests
cargo test
# Run integration tests
cargo test --test integration
# Run with logging
RUST_LOG=debug cargo testThis project is released into the public domain under the Creative Commons CC0
Universal license. You are free to use, modify, distribute, and build upon
this work for any purpose, without any restrictions. For the full legal text,
see the LICENSE file.
Stay updated with our progress! See
CHANGELOG.md for a
history of changes specific to Mist.
Mist is a core element of the Land ecosystem. This project is funded through NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet program. Learn more at the NLnet project page.
The project is operated by PlayForm, based in Sofia, Bulgaria.
PlayForm acts as the open-source steward for Code Editor Land under the NGI0 Commons Fund grant.
| Land | PlayForm | NLnet | NGI0 Commons Fund |
|---|---|---|---|
|
|
|
|
Project Maintainers: Source Open (Source/Open@Land.PlayForm.Cloud) | GitHub Repository | Report an Issue | Security Policy
