[FEATURE] Separate setting for "DNS via netd" via VPN

[jomilen]

Is your feature request related to a problem? Please describe. I'd like to disable DNS by default to prevent leaks, but enable it for selected apps for which I've enabled VPN (Orbot), with DNS going via the VPN for these.

In AFWall+, selecting "Disable DNS via netd" works as advertised[^1], in that it blocks all DNS via netd (regardless of whether the app is VPN-enabled). When a VPN-enabled app tried to use DNS, I saw in the log that netd attempted to send UDP to 10.10.10.10:53, which I guess is a "magic" address for DNS via VPN. I added the following custom rules and now it seems to work the way I'd like:

$IPTABLES -A afwall-vpn -p udp --dport 53 -m owner --uid-owner 0 -j ACCEPT
$IPTABLES -A afwall-vpn -p tcp --dport 53 -m owner --uid-owner 0 -j ACCEPT

So the only "problem" here is it took many hours of learning and experimentation (e.g. I knew nothing about iptables when I started) to achieve this, or even realise that it was possible. Since AFWall's UI has separate settings for whether apps can send data via VPN and not-VPN, it seems desirable for the UI to have this for DNS too, without needing custom rules.

Describe the solution you'd like As well as the existing "Enable DNS via netd" and "Disable DNS via netd" settings, add "Enable DNS via netd for VPN only" or similar.

Describe alternatives you've considered This feature isn't needed if #1047 is ever fixed (add DNS proxy to allow per-app firewalling of DNS), which would obviously be far superior.

Additional context In Android settings, Private DNS needs to be disabled to make it send DNS via the VPN (for VPN-enabled apps). Otherwise it bypasses the VPN!

[^1]: Well, actually I found the wording a little misleading. At first, I expected this to make apps send DNS requests direct instead of via netd. It was only via experimenting that I found what it actually does. "Block DNS via netd" might be better wording.