[FR] make option to mitigate DNS cache poision attack by switching to TCP resolve for attacked domain

[rozhuk-im]

Current behavior There is no auto mitigation for attacked domain in case DNSEec is off. unwanted-reply-threshold only can flush caches - it is bad in all cases.

Describe the desired feature unbound can detect non queried answers and mark domains from answers as attacked in cache. Then renew time is come unbound can check "attacked" flag and if it set - send queries via TCP first. Also some rate limit and expire time for this flag should exist to not thread every non queried answer as attack. Attack flag should expire after some time. It is some extension for unwanted-reply-threshold option.

Potential use-case In case DNSSec is off there is only few options to mitigate unwanted-reply~s cache poisoning like use-caps-for-id.