feat: transparent DNS interception via in-namespace server

Implements transparent DNS interception in Linux strong jails to prevent
DNS exfiltration via subdomain encoding attacks.

## Core Implementation

- **ForkedDnsProcess**: Manages child process running DummyDnsServer inside
  network namespace with proper privilege dropping and cleanup
- **DummyDnsServer**: Returns 6.6.6.6 for all A record queries using
  simple-dns library
- **DNS Redirection**: nftables rules redirect all UDP port 53 traffic to
  in-namespace DNS server (6.6.6.6)
- **IPv6 Support**: Separate ip6 table with DNS DNAT to ::1 and blocks
  other IPv6 egress

## Security Features

- DNS server drops privileges to nobody:nogroup (UID/GID 65534) after
  binding port 53
- Uses PR_SET_PDEATHSIG(SIGTERM) to ensure DNS server terminates with parent
- Closes all inherited file descriptors (3-1024) to avoid tokio runtime issues
- Prevents DNS exfiltration - external DNS servers (1.1.1.1, 8.8.8.8) are
  unreachable from jail

## Dependencies

- Added simple-dns = "0.7" for DNS packet parsing
- Added nix features: process, fs, sched, user, signal (Linux-only)
- Added command_utils module for command execution with timeout handling

## Testing

- Fixed #![allow(deprecated)] placement in test files (must be line 1)
- Fixed test_weak_mode_allows_localhost to accept exit code 28 (timeout)
  in addition to 7 (connection refused) and 52 (empty reply) since the
  proxy may timeout when trying to connect to localhost:80

## Platform Support

- Linux: Full DNS interception via network namespaces (strong jail)
- macOS: Weak mode only (no DNS changes needed)

Co-authored-by: Claude <assistant@anthropic.com>

Author: ammar-agent

CLAUDE.md

@@ -132,6 +132,51 @@ on both targets.
 
 After modifying code, run `cargo fmt` to ensure consistent formatting before committing changes.
 
+## System Resource Cleanup
+
+**CRITICAL: All global system resources MUST be properly cleaned up to prevent resource leaks.**
+
+### Linux System Resources
+
+The following system resources are created for each jail and MUST be cleaned up:
+
+1. **Network Namespace** (`NetworkNamespace`) - `/var/run/netns/httpjail_<jail_id>`
+2. **Virtual Ethernet Pairs** (`VethPair`) - `veth_host_<jail_id>` and `veth_ns_<jail_id>`
+3. **NFTables Rules** (`NFTable`) - iptables/nftables rules for traffic redirection
+4. **DNS Server Process** (`ForkedDnsProcess`) - Child process running in namespace
+5. **Any namespace-specific configuration** - e.g., `/etc/netns/<namespace>` if created
+
+### Cleanup Mechanisms
+
+1. **Normal Exit**: Resources implement `Drop` trait for automatic cleanup
+2. **Orphan Cleanup**: `cleanup_orphaned()` handles resources from crashed instances
+3. **Process Cleanup**: Must kill ALL processes in namespace before deletion
+4. **Order Matters**: Clean processes first, then network resources, then namespace
+
+### Implementation Requirements
+
+When adding new system resources:
+- Implement `SystemResource` trait with proper `cleanup()` method
+- Add to `cleanup_orphaned()` for crash recovery
+- Ensure `Drop` implementation for normal cleanup
+- Test with `--no-jail-cleanup` flag to verify cleanup works
+- Use `ManagedResource<T>` wrapper for automatic cleanup on drop
+
+### Testing Cleanup
+
+```bash
+# Test orphan cleanup
+sudo ./target/debug/httpjail --js "true" -- sleep 100 &
+PID=$!
+sudo kill -9 $PID  # Simulate crash
+sudo ./target/debug/httpjail --cleanup  # Should clean up orphaned resources
+
+# Verify no resources left
+ip netns list | grep httpjail  # Should be empty
+ip link show | grep veth_      # Should show no jail veths
+sudo iptables -L -t nat | grep httpjail  # Should show no jail rules
+```
+
 ## Logging
 
 In regular operation of the CLI-only jail (non-server mode), info and warn logs are not permitted as they would interfere with the underlying process output. Only use debug level logs for normal operation and error logs for actual errors. The server mode (`--server`) may use info/warn logs as appropriate since it has no underlying process.