Skip to main content

Mist/
ForwardSecurity.rs

1//! # DNS Forward Security
2//!
3//! Allowlist-based security wrapper for DNS forwarding.
4//! Prevents sidecars from reaching arbitrary external hosts via DNS.
5//!
6//! ```text
7//! Query ──► Is *.editor.land? ──► Authoritative (Local)
8//!            │ No
9//!            ▼
10//!     Is in Allowlist? ──► Forward to Upstream
11//!            │ No
12//!            ▼
13//!        Return REFUSED
14//! ```
15
16use anyhow::{Result, anyhow};
17use hickory_proto::rr::Name;
18
19/// Returns the default DNS forward allowlist.
20///
21/// Domains in the allowlist may be forwarded to upstream DNS servers.
22/// All other domains receive `REFUSED`.
23pub fn DefaultForwardAllowlist() -> impl Iterator<Item = Result<Name>> {
24	vec![Name::from_ascii("update.land.playform.cloud.")]
25		.into_iter()
26		.map(|R| R.map_err(|E| anyhow!("Failed to parse domain name: {}", E)))
27}
28
29#[cfg(test)]
30mod tests {
31
32	use super::*;
33
34	#[test]
35	fn TestAllowlistGeneration() {
36		let Allowlist:Vec<Name> = DefaultForwardAllowlist().filter_map(|R| R.ok()).collect();
37
38		assert!(!Allowlist.is_empty(), "Allowlist should not be empty");
39	}
40}