resolved: add "proxy-only" stub on 127.0.0.54

This beefs up the DNS stub logic to listen on two IP addresses:
127.0.0.53 (as before) + 127.0.0.54 (new). When the latter is contact
our stub will operate in "bypass" mode only, i.e we'll try to pass DNS
requests as unmodified upstream as we can (and not do mDNS/LLMNR and
such, also no DNSSEC validation – but we'll still do DNS-over-TLS
wrapping).

This is supposed to be useful for container environments or tethering:
this stub could be exposed (via NAT redirect) to clients of this system
and we'll try to stay out of the way with doing too much DNS magic
ourselves, but still expose whatever the current DNS server is from
upstream under a stable address/port.

How to use this:

  # iptables -t nat -I PREROUTING -p udp -i <interface> --dport 53 -j DNAT --to 127.0.0.54:53
  # echo 1 > /proc/sys/net/ipv4/conf/<interface>/route_localnet

1 files changed, 4 insertions, 1 deletions

diff --git a/src/shared/resolve-util.h b/src/shared/resolve-util.h
index c4d9275368..d9ab387301 100644
--- a/src/shared/resolve-util.h
+++ b/src/shared/resolve-util.h
@@ -5,9 +5,12 @@
 #include "in-addr-util.h"
 #include "macro.h"
 
-/* 127.0.0.53 in native endian */
+/* 127.0.0.53 in native endian (The IP address we listen on with the full DNS stub, i.e. that does LLMNR/mDNS, and stuff) */
 #define INADDR_DNS_STUB ((in_addr_t) 0x7f000035U)
 
+/* 127.0.0.54 in native endian (The IP address we listen on we only implement "proxy" mode) */
+#define INADDR_DNS_PROXY_STUB ((in_addr_t) 0x7f000036U)
+
 typedef enum DnsCacheMode DnsCacheMode;
 
 enum DnsCacheMode {