feat(dns): restrict plain DNS output traffic

[qdm12]

Description

It turns out some VPN infrastructure spoofs plain DNS responses, at least if trying to reach a non working DNS server address such as 1.2.3.4. I'm not sure if they spoof all DNS responses, but that sounds like a security/privacy issue to me. I think it would be wise to firewall lock output PLAIN dns traffic to:

• fallback plain dns address when the dns server fails
• 127.0.0.1 to use the built in gluetun dns server
• local ip addresses found in /etc/resolv.conf, such that the built-in dns server local middleware can reach out to those and resolve container names etc.
• if using the plain upstream type for dns, allow those ip addresses through

One should also:

• log a warning when using a plain dns address, that dns traffic might be spoofed by the VPN infrastructure. Maybe add some code to verify if that's the case!

Issue

Found whilst fiddling with #3109 where I had to run

iptables -I OUTPUT -p udp --dport 53 -j DROP
iptables -I OUTPUT -p tcp --dport 53 -j DROP
iptables -I OUTPUT -p udp -d 127.0.0.1 --dport 53 -j ACCEPT
iptables -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j ACCEPT

to block plain dns from escaping

Assertions

• I am aware that we do not accept manual changes to the servers.json file
• I am aware that any changes to settings should be reflected in the wiki