feat: DoT (DNS over TLS) client upstream

Adds tls:// upstream support for forwarding queries over DNS-over-TLS
(RFC 7858). Parses tls://IP:PORT#hostname format, with default port 853.

- New Upstream::Dot variant with TLS connector
- forward_dot: length-prefixed DNS over TLS stream
- build_dot_connector: system root CAs via webpki-roots
- parse_upstream handles tls:// prefix

Example config:
  address = ["tls://9.9.9.9#dns.quad9.net"]

Cargo.toml

@@ -31,6 +31,7 @@ arc-swap = "1"
 ring = "0.17"
 rustls-pemfile = "2.2.0"
 qrcode = { version = "0.14", default-features = false, features = ["svg"] }
+webpki-roots = "1"
 
 [dev-dependencies]
 criterion = { version = "0.8", features = ["html_reports"] }