appc,feature/conn25,net: Add DNS response interception for conn25

The new version of app connector (conn25) needs to read DNS responses
for domains it is interested in and store and swap out IP addresses.

Add a hook to dns manager to enable this.
Give the conn25 updated netmaps so that it knows when to assign
connecting addresses and from what pool.
Assign an address when we see a DNS response for a domain we are
interested in, but don't do anything with the address yet.

Updates tailscale/corp#34252

Signed-off-by: Fran Bull <fran@tailscale.com>

types/appctype/appconnector.go

@@ -8,6 +8,7 @@ package appctype
 import (
 	"net/netip"
 
+	"go4.org/netipx"
 	"tailscale.com/tailcfg"
 )
 
@@ -93,3 +94,17 @@ type RouteUpdate struct {
 	Advertise   []netip.Prefix
 	Unadvertise []netip.Prefix
 }
+
+type Conn25Attr struct {
+	// Name is the name of this collection of domains.
+	Name string `json:"name,omitempty"`
+	// Domains enumerates the domains serviced by the specified app connectors.
+	// Domains can be of the form: example.com, or *.example.com.
+	Domains []string `json:"domains,omitempty"`
+	// Connectors enumerates the app connectors which service these domains.
+	// These can either be "*" to match any advertising connector, or a
+	// tag of the form tag:<tag-name>.
+	Connectors    []string         `json:"connectors,omitempty"`
+	MagicIPPool   []netipx.IPRange `json:"magicIPPool,omitempty"`
+	TransitIPPool []netipx.IPRange `json:"transitIPPool,omitempty"`
+}