Prevent DNS lookups for CNAME decloaking for adblock for already-blocked requests

[pes10k]

Brave looks up CNAME information for all requests so that we can make blocking decisions on the entire CNAME chain (when relevant). Currently the CNAME / DNS information is fetched before making any blocking decisions. This results in unnecessary DNS calls when we can make a blocking determination from the initial URL (or at least earlier on before reaching the end of a CNAME chain).

We should optimize our CNAME decloaking, and prevent non-useful DNS requests, by waiting to fetch CNAME records until we need them (i.e., we shouldn't do any checks when we can make a blocking determination from the initial, or middle of the CNAME chain, URL and host information).

[stephendonner]

Verified PASSED on macOS for the first two testcases from brave/brave-core#8704 using build

Brave	1.26.24 Chromium: 91.0.4472.57 (Official Build) nightly (x86_64)
Revision	e3443317fa07f1e9997e4a9c738eddfefc3c0292-refs/branch-heads/4472_54@{#6}
OS	macOS Version 11.3.1 (Build 20E241)

Steps:

DoH off

1. follow the section Using the (Pre)-Master-Secret to set up SSLKEYLOGFILE (https://wiki.wireshark.org/TLS#Using_the_.28Pre.29-Master-Secret)
2. After Wireshark is capturing traffic, use the dns filter
3. new profile, launch Brave
4. go to brave://settings/security and set Use secure DNS via the toggle to off
5. open Tor window
6. navigate to https://tools.ietf.org
7. after site loaded, stop Wireshark capturing
8. there shouldn't be any DNS query or DoH query for tools.ietf.org

confirmed there were no CNAME / DNS lookups for tools.ietf.org in Wireshark

screenshots

example	example

DoH enabled

1. follow the section Using the (Pre)-Master-Secret to set up SSLKEYLOGFILE (https://wiki.wireshark.org/TLS#Using_the_.28Pre.29-Master-Secret)
2. after Wireshark is capturing traffic, use the dns filter
3. new profile, launch Brave
4. go to brave://settings/security and make sure Use secure DNS is toggled to on and With Cloudflare (1.1.1.1) is checked
5. open Tor window
6. navigate to https://tools.ietf.org
7. after site finishes loading, stop Wireshark capturing
8. there shouldn't be any DNS query or DoH query for tools.ietf.org

confirmed there were no CNAME / DNS lookups for tools.ietf.org in Wireshark

screenshots

example	example

MacRumors.com / googletagmanager

I filed #15953 for macOS-specific behavior; Windows 10 is working fine, but I haven't checked Linux.

/cc @brave/legacy_qa

---

Verification passed on

Brave	1.26.53 Chromium: 91.0.4472.77 (Official Build) beta (64-bit)
Revision	1cecd5c8a856bc2a5adda436e7b84d8d21b339b6-refs/branch-heads/4472@{#1246}
OS	Ubuntu 18.04 LTS

Verified test plan from brave/brave-core#8704

DoH off

DoH on

MacRumors.com / googletagmanager

Reproduced on Ubuntu: #15953 (comment)

---

Verification passed on

<!--StartFragment-->
Brave | 1.26.54 Chromium: 91.0.4472.88&nbsp;(Official Build)&nbsp;beta&nbsp;(64-bit)
-- | --
Revision | 109e9cd038b94a631aea7d40ee3d56c1278f2597-refs/branch-heads/4472@{#1385}
OS | Windows&nbsp;10 OS Version 2004 (Build 19041.985)

<!--EndFragment-->

• Verified the test plan from Only check CNAME for unblocked requests brave-core#8704

DoH off

DoH on

[srirambv]

Verification done on OnePlus 6T with Android 10 running 1.26.63 x64 build

• Encountered "dns-prefetch" and "preconnect" links are not handled by Shields #15953 (comment)

Removing Android label as the Tor windows is not possible on Android.

cc: @antonok-edm @pes10k