feat(core): expose TLS ConnectionState (SNI) for DoQ (#8129)

DoQWriter previously stored only the QUIC stream, so plugins reading
TLS state via dns.ConnectionStater (e.g. for SNI-based routing or
auditing) could not see anything for DoQ connections, even
though the underlying QUIC connection carries a full tls.ConnectionState.

This change adds a *quic.Conn reference to DoQWriter and wires it in serveQUICStream.

It implements dns.ConnectionStater on *DoQWriter, returning the TLS
state from the underlying QUIC connection (mirrors the DoT behavior
that miekg/dns already provides for *tls.Conn)

Forwards ConnectionState through request.ScrubWriter, which wraps
every response writer before the plugin chain runs; the embedded
dns.ResponseWriter interface does not promote ConnectionState (it
belongs to a separate interface), so without this plugins would
still see nil for both DoQ and DoT

Signed-off-by: Nicholas Amorim <nicholas@santos.ee>

core/dnsserver/quic.go

@@ -1,6 +1,7 @@
 package dnsserver
 
 import (
+	"crypto/tls"
 	"encoding/binary"
 	"errors"
 	"net"
@@ -13,6 +14,7 @@ type DoQWriter struct {
 	localAddr  net.Addr
 	remoteAddr net.Addr
 	stream     *quic.Stream
+	conn       *quic.Conn
 	Msg        *dns.Msg
 	tsigStatus error
 }
@@ -68,3 +70,15 @@ func (w *DoQWriter) Hijack()                {}
 func (w *DoQWriter) LocalAddr() net.Addr    { return w.localAddr }
 func (w *DoQWriter) RemoteAddr() net.Addr   { return w.remoteAddr }
 func (w *DoQWriter) Network() string        { return "" }
+
+// ConnectionState implements the dns.ConnectionStater interface, exposing the
+// TLS state of the underlying QUIC connection (e.g. for plugins that need to
+// read the SNI ServerName). Mirrors the DoT behavior already provided by the
+// miekg/dns response writer.
+func (w *DoQWriter) ConnectionState() *tls.ConnectionState {
+	if w.conn == nil {
+		return nil
+	}
+	state := w.conn.ConnectionState().TLS
+	return &state
+}