feat: auto recursive mode, fix Linux install

Auto mode (new default): probes a root server on startup; uses
recursive resolution if outbound DNS works, falls back to Quad9 DoH
if blocked. Dashboard shows mode indicator (green/yellow).

Linux install fixes:
- Add DNSStubListener=no to resolved drop-in (frees port 53)
- Configure DNS before starting service (correct ordering)
- Skip 127.0.0.53 in upstream detection
- `numa install` now does everything (service + DNS + CA)
- `numa uninstall` mirrors install (stop service + restore DNS)
- Extract is_loopback_or_stub() for consistent filtering

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/recursive.rs

@@ -65,6 +65,20 @@ pub async fn probe_udp(root_hints: &[SocketAddr]) {
     }
 }
 
+/// Probe whether recursive resolution works by querying a root server.
+pub async fn probe_recursive(root_hints: &[SocketAddr]) -> bool {
+    let hint = match root_hints.first() {
+        Some(h) => *h,
+        None => return false,
+    };
+    let mut probe = DnsPacket::query(next_id(), ".", QueryType::NS);
+    probe.header.recursion_desired = false;
+    match forward_udp(&probe, hint, Duration::from_secs(3)).await {
+        Ok(resp) => !resp.answers.is_empty() || !resp.authorities.is_empty(),
+        Err(_) => false,
+    }
+}
+
 pub async fn prime_tld_cache(
     cache: &RwLock<DnsCache>,
     root_hints: &[SocketAddr],