Add: Leak-D for dns leak detection

docs/dns_leak_implementation_status.md

@@ -13,6 +13,7 @@ This document tracks the current DNS leak detector implementation against the de
   - Leak-A (plaintext DNS outside safe path).
   - Leak-B (split-policy intent leak based on proxy-required/allowlist domains).
   - Leak-C (encrypted DNS bypass for DoT).
+  - Leak-D (basic mismatch: DNS response IP -> outbound TCP SYN on different route).
 - Policy profiles: `full-tunnel`, `proxy-stub`, `split`.
 - Privacy modes: full/redacted/minimal (redacts qname).
 - Process attribution:
@@ -37,10 +38,16 @@ This document tracks the current DNS leak detector implementation against the de
 
 ## Not implemented (v0.4 backlog)
 - DoH heuristic detection (SNI/endpoint list/traffic shape).
-- Leak-D mismatch correlation (DNS -> TCP/TLS flows).
 - GeoIP enrichment of leak events.
 - Process tree reporting (PPID chain).
 
 ## Known limitations
 - On Windows, pcap capture may require selecting a specific NPF interface; use
   `dns leak watch --iface-diag` to list interfaces that can be opened.
+- Leak-D test attempts on Windows did not fire; see test notes below.
+
+## Test notes
+- `dns leak watch --duration 8s --summary-only --iface <NPF>` captured UDP/53 and produced Leak-A.
+- `dns leak watch --duration 15s --iface <NPF>` with scripted DNS query + TCP connect:
+  - UDP/53 query/response captured (Leak-A).
+  - TCP SYNs observed, but did not match cached DNS response IPs, so Leak-D did not trigger.