Merge commit from fork

Add configurable resource limits to prevent potential DoS vectors
via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers.

New configuration plugins:
- grpc_server: configure max_streams, max_connections
- https: configure max_connections
- https3: configure max_streams

Changes:
- Use netutil.LimitListener for connection limiting
- Use gRPC MaxConcurrentStreams and message size limits
- Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting
- Set secure defaults: 256 max streams, 200 max connections
- Setting any limit to 0 means unbounded/fallback to previous impl

Defaults are applied automatically when plugins are omitted from
config.

Includes tests and integration tests.

Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>

plugin/https3/README.md

@@ -0,0 +1,47 @@
+# https3
+
+## Name
+
+*https3* - configures DNS-over-HTTPS/3 (DoH3) server options.
+
+## Description
+
+The *https3* plugin allows you to configure parameters for the DNS-over-HTTPS/3 (DoH3) server to fine-tune the security posture and performance of the server. HTTPS/3 uses QUIC as the underlying transport.
+
+This plugin can only be used once per HTTPS3 listener block.
+
+## Syntax
+
+```txt
+https3 {
+    max_streams POSITIVE_INTEGER
+}
+```
+
+* `max_streams` limits the number of concurrent QUIC streams per connection. This helps prevent unbounded streams on a single connection, exhausting server resources. The default value is 256 if not specified. Set to 0 to use underlying QUIC transport default.
+
+## Examples
+
+Set custom limits for maximum streams:
+
+```
+https3://.:443 {
+    tls cert.pem key.pem
+    https3 {
+        max_streams 50
+    }
+    whoami
+}
+```
+
+Set values to 0 for QUIC transport default, matching CoreDNS behaviour before v1.14.0:
+
+```
+https3://.:443 {
+    tls cert.pem key.pem
+    https3 {
+        max_streams 0
+    }
+    whoami
+}
+```