Skip to main content

Deep Dive

Mist - Deep Dive

Mist DNS isolation layer - local authoritative DNS server for the editor.land zone, Hickory DNS architecture, forward allowlist enforcement, DNSSEC zone signing, and resolver construction for consumer integration.

Mist - Deep Dive

Mist provides the technical foundation DNS isolation layer within the Land project. Mist operates a local authoritative DNS server for the editor.land zone, ensuring all private network communication stays on loopback and preventing sidecars from reaching unauthorized external hosts.

Architecture

Mist is a Rust library built on Hickory DNS. It exposes a public API for starting the server, querying the bound port, and constructing resolvers. The DNS catalog contains two zones: an authoritative zone for editor.land and a restricted forward allowlist for external queries.

graph TB
    subgraph "Mist - DNS Isolation Server"
        LibRS["lib.rs<br/>Public API: start / dns_port"]
        ServerRS["server.rs<br/>Hickory UDP + TCP listeners"]
        ZoneRS["zone.rs<br/>editor.land zone authority"]
        ResolverRS["resolver.rs<br/>DNS resolver for consumers"]
        ForwardSecurity["forward_security.rs<br/>External allowlist enforcement"]
    end

    subgraph "DNS Catalog"
        AuthZone["editor.land zone<br/>*.editor.land → 127.0.0.1"]
        ForwardZone["Forward allowlist<br/>update.editor.land only"]
        DNSSEC["DNSSEC<br/>ECDSA P-256 zone signing"]
    end

    subgraph "Consumers"
        Mountain["Mountain<br/>DnsPort managed state"]
        SideCar["SideCar<br/>Node.js DNS environment variable"]
        Cocoon["Cocoon<br/>editor.land resolution"]
    end

    LibRS --> ServerRS
    ServerRS --> ZoneRS
    ServerRS --> ForwardSecurity
    ZoneRS --> AuthZone
    ZoneRS --> DNSSEC
    ForwardSecurity --> ForwardZone
    LibRS --> ResolverRS
    Mountain --> LibRS
    SideCar --> ResolverRS
    Cocoon --> ResolverRS

Key Modules

PathDescription
Source/lib.rsPublic library API: start(port), dns_port(), module re-exports
Source/server.rsHickory DNS server: UDP/TCP socket binding, catalog wiring, async accept loop
Source/zone.rseditor.land zone configuration: SOA, A records, wildcard resolution
Source/resolver.rsLandDnsResolver - DNS client pointed at the local server for consumer use
Source/forward_security.rsForward allowlist: rejects external queries not on the approved list
tests/integration.rsIntegration tests: zone resolution, DNSSEC verification, forward blocking

Data Flow

sequenceDiagram
    participant App as Application (Wind / Cocoon)
    participant Resolver as Land DNS Resolver
    participant MistServer as Mist DNS Server
    participant Catalog as DNS Catalog

    App->>Resolver: resolve("api.editor.land")
    Resolver->>MistServer: DNS query (UDP 127.0.0.1:PORT)
    MistServer->>Catalog: Lookup "api.editor.land"
    Catalog->>MistServer: A record → 127.0.0.1 (authoritative)
    MistServer->>Resolver: DNS response with RRSIG
    Resolver->>App: 127.0.0.1

    App->>Resolver: resolve("external.example.com")
    Resolver->>MistServer: DNS query
    MistServer->>Catalog: Lookup "external.example.com"
    Catalog->>MistServer: Not in allowlist → REFUSED
    MistServer->>Resolver: REFUSED response
    Resolver->>App: Resolution error

Startup sequence:

  1. Mountain calls Mist::start(5380) during initialization.
  2. Mist attempts to bind to port 5380; if unavailable, portpicker selects an alternative.
  3. The bound port is stored in Mountain’s DnsPort managed Tauri state.
  4. Mountain passes the port to Air and SideCar so they configure their DNS clients accordingly.

Integration Points

Connecting ElementDirectionMechanismDescription
MountainConsumerMist::start() Rust APIMountain starts Mist and stores the port in DnsPort managed state
SideCarConsumerEnvironment variableSideCar passes the DNS port to spawned Node.js processes via NODE_EXTRA_CA_CERTS / DNS override
CocoonIndirect consumerNode.js DNS overrideCocoon resolves cocoon.editor.land and Mountain gRPC addresses through Mist

Configuration

ParameterValueDescription
Preferred port5380Primary bind port; falls back to any available port if taken
Bind address127.0.0.1Loopback only - no external interface exposure
Authoritative zoneeditor.landAll subdomains resolve to 127.0.0.1
Forward allowlistupdate.editor.landOnly this domain may be resolved externally
DNSSEC algorithmECDSA P-256Zone signing key algorithm
TransportUDP + TCPHickory serves both; clients may use either

DNSSEC signing is performed at zone load time. The DNSKEY and RRSIG records are included in responses to clients that request DNSSEC data (DO bit set).