Add answer CIDR cache exclusions

[rz467fzs7d]

Summary

• add dns.cache.excludeAnswerCIDRs, a restart-scoped JSON string array of CIDR ranges
• skip committing an upstream DNS response to FTL's cache when any A/AAAA answer matches one of the configured ranges
• add CIDR parsing/matching coverage for IPv4, IPv6, and invalid input

Motivation

This helps deployments where Pi-hole forwards to a fake-IP resolver. The client still receives the upstream answer, but FTL avoids caching fake-IP answers that may outlive the upstream resolver's own mapping state.

The default is 198.18.0.0/15, the RFC 2544 benchmarking range commonly used by fake-IP DNS implementations.

Test

• cc -Wall -Wextra -I src -o /tmp/cache_exclude_cidr_test test/cache_exclude_cidr_test.c src/dnsmasq/cache_exclude.c src/webserver/cJSON/cJSON.c && /tmp/cache_exclude_cidr_test
• git diff --check

[darkexplosiveqwx]

Please use the PR template from https://github.com/pi-hole/.github/blob/master/.github/PULL_REQUEST_TEMPLATE.md.
The PR template also mentions the following issues: DCO and targeting development branch.

This PR mainly touches dnsmasq code. We want to make as litte changes a possible to dnsmasq to avoid future merge conflicts. If it is possible, it should be submitted upstream at Dnsmasq-dicuss.

Some more issues are that test/cache_exclude_cidr_test.c is never used and that the config option is not added to test/pihole.toml and src/api/docs/content/specs/config.yaml

[DL6ER]

I read your motivation but this is still somewhat obscure to me: we cache per domains per client per record so why is this bad? Note that this will introduce extra work as FTL will not be able to short-circuit queries for said combination (domain, client, type) but has to do all lengthy regex comparisons, etc. over and over again, always coming back to (very likely to guaranteed) the same outcome. Something is missing for me.