Improve DNS inspection record reporting and resolver handling

AGENTS.md

@@ -89,7 +89,8 @@ metadata/update/DNS/TLS inspection modes, and executes requests via `src/http`.
 - gRPC calls and reflection advertise `grpc-accept-encoding: gzip`; response frames with the compressed flag are decompressed with the response `grpc-encoding` before protobuf decoding, with unsupported encodings reported by name.
 - gRPC standard request headers, status extraction from headers/trailers, and full framed-body reads live under `src/grpc`; request execution and reflection should reuse those helpers instead of duplicating protocol handling.
 - Client-streaming and bidi gRPC calls stream JSON input into framed protobuf request bodies instead of materializing the whole stream up front; stdin-backed gRPC JSON streams use the shared incremental parser behind a blocking stdin bridge, and Windows pipe stdin is peeked before reads so complete request messages can be sent before EOF without byte-at-a-time reads.
-- `--inspect-dns` resolves the URL hostname without making an HTTP request, showing common DNS record types, resolver backend, duration, and per-record TTLs from direct UDP or DoH responses.
+- Custom UDP DNS queries advertise EDNS(0) and retry truncated responses over TCP.
+- `--inspect-dns` resolves the URL hostname without making an HTTP request, showing common DNS record types, resolver backend, duration, and per-record TTLs from direct UDP or DoH responses. UDP inspection queries retry truncated UDP responses over TCP; if TCP fallback cannot complete the lookup, render a warning about incomplete results and exit non-zero instead of silently omitting that record type.
 - `--inspect-tls --http 3` performs QUIC/TLS inspection with `h3` ALPN instead of the TCP TLS path.
 - `--inspect-tls` honors `--dns-server` for both TCP and QUIC inspection, resolving domain targets through the configured UDP or DoH resolver before the TLS handshake.
 - Rust `--inspect-tls` renders a verified certificate chain when verification succeeds, appending omitted trusted roots or replacing server-sent cross-signed roots with the matching platform/custom trusted root for expiry display; `--insecure` keeps the raw peer chain.

docs/advanced-features.md

@@ -23,6 +23,8 @@ fetch --dns-server 1.1.1.1:53 example.com
 fetch --dns-server "[2001:4860:4860::8888]:53" example.com
 ```
 
+UDP DNS queries advertise EDNS(0) and retry truncated responses over TCP.
+
 ### DNS-over-HTTPS (DoH)
 
 Use HTTPS URL for encrypted DNS queries:
@@ -47,7 +49,7 @@ fetch --inspect-dns example.com
 fetch --inspect-dns --dns-server https://1.1.1.1/dns-query example.com
 ```
 
-The output shows the resolver backend, A, AAAA, CNAME, TXT, MX, NS, SOA, SRV, CAA, SVCB, and HTTPS records when present, address count, record count, lookup duration, and per-record TTLs.
+The output shows the resolver backend, A, AAAA, CNAME, TXT, MX, NS, SOA, SRV, CAA, SVCB, and HTTPS records when present, address count, record count, lookup duration, and per-record TTLs. UDP DNS inspection advertises EDNS(0) and retries truncated UDP responses over TCP; if TCP fallback cannot complete the lookup, `fetch` warns that the results are incomplete and exits with a non-zero status.
 
 ### Configuration File
 

docs/cli-reference.md

@@ -353,7 +353,8 @@ fetch --retry 3 --retry-delay 0.5 example.com
 ### `--dns-server IP[:PORT]|URL`
 
 Use custom DNS server. Supports UDP DNS and DNS-over-HTTPS for requests and
-DNS/TLS inspection.
+DNS/TLS inspection. UDP DNS queries advertise EDNS(0) and retry truncated
+responses over TCP.
 
 ```sh
 fetch --dns-server 8.8.8.8 example.com
@@ -363,7 +364,7 @@ fetch --dns-server https://1.1.1.1/dns-query example.com
 
 ### `--inspect-dns`
 
-Inspect DNS resolution for the URL hostname only (no HTTP request is made). Displays the resolver backend, A, AAAA, CNAME, TXT, MX, NS, SOA, SRV, CAA, SVCB, and HTTPS records when present, along with per-record TTLs, address count, record count, and lookup duration.
+Inspect DNS resolution for the URL hostname only (no HTTP request is made). Displays the resolver backend, A, AAAA, CNAME, TXT, MX, NS, SOA, SRV, CAA, SVCB, and HTTPS records when present, along with per-record TTLs, address count, record count, and lookup duration. UDP DNS inspection advertises EDNS(0) and retries truncated UDP responses over TCP; if TCP fallback cannot complete the lookup, `fetch` warns that the results are incomplete and exits with a non-zero status.
 
 ```sh
 fetch --inspect-dns example.com