Expand CNAME uncloaking protection

[antonok-edm]

Resolves brave/brave-browser#24278

Security review: https://github.com/brave/security/issues/961

Submitter Checklist:

• I confirm that no security/privacy review is needed, or that I have requested one
• There is a ticket for my issue
• Used Github auto-closing keywords in the PR description above
• Wrote a good PR/commit description
• Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
• Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
• Checked the PR locally: npm run test -- brave_browser_tests, npm run test -- brave_unit_tests, npm run lint, npm run gn_check, npm run tslint
• Ran git rebase master (if needed)

Reviewer Checklist:

• A security review is not needed, or a link to one is included in the PR description
• New files have MPL-2.0 license header
• Adequate test coverage exists to prevent regressions
• Major classes, functions and non-trivial code blocks are well-commented
• Changes in component dependencies are properly reflected in gn
• Code follows the style guide
• Test plan is specified in PR before merging

After-merge Checklist:

• The associated issue milestone is set to the smallest version that the
  changes has landed on
• All relevant documentation has been updated, for instance:
  • https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
  • https://github.com/brave/brave-browser/wiki/Proxy-redirected-URLs
  • https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections
  • https://github.com/brave/brave-browser/wiki/Brave%E2%80%99s-Use-of-Referral-Codes
  • https://github.com/brave/brave-browser/wiki/Custom-Headers
  • https://github.com/brave/brave-browser/wiki/Web-Compatibility-Exceptions-in-Brave
  • https://github.com/brave/brave-browser/wiki/QA-Guide
  • https://github.com/brave/brave-browser/wiki/P3A

Test Plan:

Apologies in advance for the massive test plan here, but it's a security-sensitive feature and we want to be extra sure that there is no DNS leakage before this can land in Release.

All of the following should be tested in Aggressive Shields blocking mode, and on as many OS platforms as possible. Note that many of these have already been QA tested in the past; the previous verification summaries can be used as a reference.

Android only: not all of the test plans here are applicable, but for those that are, be sure to enable the #brave-adblock-cname-uncloaking flag in brave://flags. It is currently disabled by Griffin under the DisableCnameUncloakingForAndroid study.

1. Redo the test plan from Disable CNAME uncloaking when DoH is enabled with an HTTPS proxy #11164, but with Secure DNS both enabled and disabled
2. Redo the test plan from Disable CNAME uncloaking when a proxy extension with a socks fallback is enabled #10742, but with Secure DNS both enabled and disabled
3. Redo the test plan from Avoid CNAME uncloaking if a proxy is configured #8957, but with Secure DNS both enabled and disabled
4. Redo the test plan from Only specify net::HostResolverSource::DNS when DoH is enabled #8279
5. Redo the test plan from Fix Tor dns leak #7769

[darkdh]

Actually we can't just remove it like this because DNS requests can't be routed through Tor connection.

1. Tor can't be used to route UDP traffic.
2. If we forced DoH, it will create proxy deadlock and DoH is also leaking from Tor perspective.

[iefremov]

should we freeze the PR given the sec review outcome?