mist/
ForwardSecurity.rs

1#![allow(non_snake_case, non_camel_case_types, non_upper_case_globals)]
2//! # DNS Forward Security
3//!
4//! Allowlist-based security wrapper for DNS forwarding.
5//! Prevents sidecars from reaching arbitrary external hosts via DNS.
6//!
7//! ```text
8//! Query ──► Is *.editor.land? ──► Authoritative (Local)
9//!            │ No
10//!            ▼
11//!     Is in Allowlist? ──► Forward to Upstream
12//!            │ No
13//!            ▼
14//!        Return REFUSED
15//! ```
16
17use anyhow::{anyhow, Result};
18use hickory_proto::rr::Name;
19
20/// Returns the default DNS forward allowlist.
21///
22/// Domains in the allowlist may be forwarded to upstream DNS servers.
23/// All other domains receive `REFUSED`.
24pub fn DefaultForwardAllowlist() -> impl Iterator<Item = Result<Name>> {
25	vec![Name::from_ascii("update.editor.land.")]
26		.into_iter()
27		.map(|R| R.map_err(|E| anyhow!("Failed to parse domain name: {}", E)))
28}
29
30#[cfg(test)]
31mod tests {
32	use super::*;
33
34	#[test]
35	fn TestAllowlistGeneration() {
36		let Allowlist: Vec<Name> =
37			DefaultForwardAllowlist().filter_map(|R| R.ok()).collect();
38		assert!(!Allowlist.is_empty(), "Allowlist should not be empty");
39	}
40}
mist/ForwardSecurity.rs

mist/
ForwardSecurity.rs
