test(proxy): cover QUIC DNS suppression boundaries

Strengthen the focused DNS coverage for the block_quic HTTPS/SVCB suppression path.

The new tests verify that the local empty-answer response preserves the client recursion-desired bit, clears additional-record state instead of echoing EDNS-style trailing data, rejects compressed question names, and ignores non-IN classes. These cases keep the helper intentionally narrow: only ordinary single-question IN queries for HTTPS or SVCB are answered locally.

Clarify the guide note to state that ordinary A/AAAA DNS questions are unchanged by this policy.

Author: maybeknott

docs/guide.md

@@ -317,7 +317,7 @@ Memory footprint ~15–20 MB resident — fine on anything ≥128 MB RAM. No UI
 - **`mhrv-rs test-sni`** — parallel TLS probe of every SNI name in your rotation pool against `google_ip`. Tells you which front-domain names pass through your ISP's DPI. UI has same thing in **SNI pool…** window with checkboxes, per-row **Test** buttons, and **Keep ✓ only** to auto-trim.
 - **Periodic stats** logged every 60 s at `info` level (relay calls, cache hit rate, bytes relayed, active vs blacklisted scripts). UI shows live.
 
-When `block_quic = true`, the SOCKS5 UDP relay drops UDP/443 datagrams and answers DNS HTTPS/SVCB (type 65/64) questions with an empty successful response. Browsers then skip HTTP/3 advertisement and fall back to TCP/HTTPS sooner, without forwarding those QUIC discovery packets through the relay.
+When `block_quic = true`, the SOCKS5 UDP relay drops UDP/443 datagrams and answers DNS HTTPS/SVCB (type 65/64) questions with an empty successful response. Ordinary A/AAAA DNS questions are unchanged. Browsers then skip HTTP/3 advertisement and fall back to TCP/HTTPS sooner, without forwarding those QUIC discovery packets through the relay.
 
 ### SNI pool editor
 

src/proxy_server.rs

@@ -3600,6 +3600,13 @@ mod tests {
         q
     }
 
+    fn dns_query_with_class(qtype: u16, qclass: u16) -> Vec<u8> {
+        let mut q = dns_query(qtype);
+        let n = q.len();
+        q[n - 2..n].copy_from_slice(&qclass.to_be_bytes());
+        q
+    }
+
     #[test]
     fn dns_https_question_gets_empty_success_response() {
         let query = dns_query(DNS_TYPE_HTTPS);
@@ -3612,6 +3619,20 @@ mod tests {
         assert_eq!(&response[12..], &query[12..]);
     }
 
+    #[test]
+    fn dns_https_response_preserves_rd_and_clears_additional_records() {
+        let mut query = dns_query(DNS_TYPE_HTTPS);
+        // Pretend the client included one additional record after the
+        // question. The local policy answer must not echo that section.
+        query[11] = 1;
+        query.extend_from_slice(&[0, 0, 41, 16, 0, 0, 0, 0, 0, 0, 0]);
+
+        let response = dns_empty_response_for_https_or_svcb(&query).unwrap();
+        assert_eq!(response[2] & 0x01, 0x01);
+        assert_eq!(&response[10..12], &[0, 0]);
+        assert!(response.len() < query.len());
+    }
+
     #[test]
     fn dns_svcb_question_gets_empty_success_response() {
         let query = dns_query(DNS_TYPE_SVCB);
@@ -3631,6 +3652,24 @@ mod tests {
         assert!(dns_empty_response_for_https_or_svcb(&query).is_none());
     }
 
+    #[test]
+    fn dns_compressed_question_name_is_not_suppressed() {
+        let mut query = Vec::new();
+        query.extend_from_slice(&[0x12, 0x34, 0x01, 0x00]);
+        query.extend_from_slice(&[0x00, 0x01, 0x00, 0x00]);
+        query.extend_from_slice(&[0x00, 0x00, 0x00, 0x00]);
+        query.extend_from_slice(&[0xc0, 0x0c]);
+        query.extend_from_slice(&DNS_TYPE_HTTPS.to_be_bytes());
+        query.extend_from_slice(&1u16.to_be_bytes());
+        assert!(dns_empty_response_for_https_or_svcb(&query).is_none());
+    }
+
+    #[test]
+    fn dns_non_in_question_is_not_suppressed() {
+        let query = dns_query_with_class(DNS_TYPE_HTTPS, 3);
+        assert!(dns_empty_response_for_https_or_svcb(&query).is_none());
+    }
+
     #[test]
     fn doh_default_list_exact_matches() {
         let extra: Vec<String> = vec![];