Pad queries when EDNS0 is enabled.

Behavior is compliant with
https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-04

EDNS0 is only enabled when the netcontext requests it, i.e. in DNS-over-TLS
mode.

Bug: 69623036
Bug: 64133961
Test: Wireshark verified. Integration tests echo padding and pass.
Merged-In: Ie5439b0ad505ebf393a83c87845fd02549afc4a2
Merged-In: I274d659782870818274526d23d3a3c4640cad92d
Change-Id: I5ef600e02a572d281441e890cc981614f150629b
(cherry picked from commit 23e4081009bb58d9c09e615186208b77749e72de)

libc/dns/include/resolv_params.h

@@ -34,6 +34,10 @@
 					 * servers.
 					 */
 
+/* If EDNS0_PADDING is defined, queries will be padded to a multiple of this length
+when EDNS0 is active. */
+#define EDNS0_PADDING	128
+
 /* per-netid configuration parameters passed from netd to the resolver */
 struct __res_params {
     uint16_t sample_validity; // sample lifetime in s

libc/dns/resolv/res_mkquery.c

@@ -269,8 +269,28 @@ res_nopt(res_state statp,
 	}
 	ns_put16(flags, cp);
 	cp += INT16SZ;
+#ifdef EDNS0_PADDING
+	{
+		u_int16_t minlen = (cp - buf) + 3 * INT16SZ;
+		u_int16_t extra = minlen % EDNS0_PADDING;
+		u_int16_t padlen = (EDNS0_PADDING - extra) % EDNS0_PADDING;
+		if (minlen > buflen) {
+			return (-1);
+		}
+		padlen = MIN(padlen, buflen - minlen);
+		ns_put16(padlen + 2 * INT16SZ, cp);	/* RDLEN */
+		cp += INT16SZ;
+		ns_put16(NS_OPT_PADDING, cp);	/* OPTION-CODE */
+		cp += INT16SZ;
+		ns_put16(padlen, cp);	/* OPTION-LENGTH */
+		cp += INT16SZ;
+		memset(cp, 0, padlen);
+		cp += padlen;
+	}
+#else
 	ns_put16(0, cp);	/* RDLEN */
 	cp += INT16SZ;
+#endif
 	hp->arcount = htons(ntohs(hp->arcount) + 1);
 
 	return (cp - buf);

libc/include/arpa/nameser.h

@@ -474,6 +474,7 @@ typedef enum __ns_cert_types {
  */
 #define NS_OPT_DNSSEC_OK	0x8000U
 #define NS_OPT_NSID             3
+#define NS_OPT_PADDING          12
 
 /*
  * Inline versions of get/put short/long.  Pointer is advanced.