Add: dns leak detection

docs/dns_leak_implementation_status.md

@@ -0,0 +1,42 @@
+# DNS Leak Detection - Implementation Status
+
+This document tracks the current DNS leak detector implementation against the design in
+`docs/dns_leak_detection_design.md` and `docs/requirement_docs_v0.4.md`.
+
+## Implemented
+- New `wtfnet-dnsleak` crate with passive capture (pcap feature).
+- Transport classification:
+  - Plain DNS (UDP/53, TCP/53) with qname/qtype parsing.
+  - DoT (TCP/853) detection.
+  - DoH detection is not implemented (skipped for now).
+- Leak rules:
+  - Leak-A (plaintext DNS outside safe path).
+  - Leak-B (split-policy intent leak based on proxy-required/allowlist domains).
+  - Leak-C (encrypted DNS bypass for DoT).
+- Policy profiles: `full-tunnel`, `proxy-stub`, `split`.
+- Privacy modes: full/redacted/minimal (redacts qname).
+- Process attribution:
+  - Best-effort `FlowOwnerProvider` with Linux `/proc` and Windows `netstat` lookups.
+  - Confidence levels and failure reasons exposed in events.
+- CLI commands:
+  - `dns leak status`
+  - `dns leak watch`
+  - `dns leak report`
+- `dns leak watch --iface-diag` (diagnostics for capture-capable interfaces).
+- Interface selection:
+  - per-interface open timeout to avoid capture hangs
+  - stable default pick (up, non-loopback, named ethernet/wlan) before fallback scan
+
+## Partially implemented
+- Route/interface classification: heuristic only (loopback/tunnel/physical by iface name).
+- Safe path matching: allowed ifaces/dests/ports/processes; no route-based policy.
+
+## Not implemented (v0.4 backlog)
+- DoH heuristic detection (SNI/endpoint list/traffic shape).
+- Leak-D mismatch correlation (DNS -> TCP/TLS flows).
+- GeoIP enrichment of leak events.
+- Process tree reporting (PPID chain).
+
+## Known limitations
+- On Windows, pcap capture may require selecting a specific NPF interface; use
+  `dns leak watch --iface-diag` to list interfaces that can be opened.