[plan] implement dns-over-https support

[github-actions]

Objective

Add DNS-over-HTTPS (DoH) support to prevent DNS MITM attacks and enhance privacy by encrypting DNS queries.

Context

Current state: DNS queries use unencrypted UDP to trusted servers (8.8.8.8, 8.8.4.4) which could be intercepted or modified.

Risk level: 🟡 MEDIUM - DNS spoofing risk identified in threat model

Implementation Approach

1. Add --dns-over-https CLI flag with optional DoH resolver endpoint
2. Default DoH resolver: https://dns.google/dns-query (Google DNS over HTTPS)
3. Update agent container to use DoH client (e.g., cloudflared or dnscrypt-proxy)
4. Update iptables rules to allow HTTPS to DoH endpoint
5. Fall back to traditional DNS if DoH unavailable

Files to Modify

• src/cli.ts - Add --dns-over-https flag with optional resolver URL
• src/host-iptables.ts - Allow HTTPS traffic to DoH endpoints
• containers/agent/setup-iptables.sh - Configure DoH client in container
• containers/agent/Dockerfile - Install DoH client binary
• src/types.ts - Add DoH config to WrapperConfig interface
• README.md - Document new flag and security benefits

Testing

• Verify DNS queries use HTTPS when --dns-over-https enabled
• Confirm fallback to UDP DNS when DoH unavailable
• Test with custom DoH resolver endpoint
• Validate blocked domains still rejected with DoH

Acceptance Criteria

• --dns-over-https flag enables encrypted DNS queries
• DoH requests visible in Squid logs (HTTPS to dns.google)
• Legacy UDP DNS blocked when DoH enabled
• Custom DoH resolver endpoints supported
• Documentation updated with security rationale
  Related to [plan] security improvements from threat model review #306

AI generated by Plan Command for discussion #302