feat: transparent DNS interception via in-namespace server

Implements transparent DNS interception in Linux strong jails by running a
dedicated DNS server inside the network namespace.

Key Features:
- ForkedDnsProcess manages child process running DummyDnsServer
- All DNS queries (UDP port 53) redirected via nftables DNAT
- Returns fixed dummy response (6.6.6.6) for all A record queries
- Privilege dropping after binding to port 53 (nobody:nogroup)
- PR_SET_PDEATHSIG ensures DNS server terminates with parent
- Fork safety: closes all inherited file descriptors
- IPv6 support: DNS DNAT to ::1, blocks other IPv6 egress

Security:
- Prevents DNS exfiltration via subdomain encoding
- Blocks all external DNS servers
- Prevents DNS-over-HTTPS/TLS attempts at network level

Dependencies:
- Added simple-dns 0.7 for DNS packet handling
- Added nix crate features for process/namespace management
- Added command_utils module for timeout handling

Author: ammar-agent