DNS_UPSTREAM_PLAIN_ADDRESSES option

- New CSV format with port, for example `ip1:port1,ip2:port2`
- retrocompatibility with `DNS_ADDRESS`. If set, force upstream type to plain and empty user-picked providers. 127.0.0.1 is now ignored since it's always set to this value internally.
- requires `DNS_UPSTREAM_TYPE=plain` must be set to use `DNS_UPSTREAM_PLAIN_ADDRESSES` (unless using retro `DNS_ADDRESS`)
- Warning log on using private upstream resolvers updated

internal/configuration/settings/settings.go

@@ -2,7 +2,6 @@ package settings
 
 import (
 	"fmt"
-	"net/netip"
 
 	"github.com/qdm12/gluetun/internal/configuration/settings/helpers"
 	"github.com/qdm12/gluetun/internal/constants/providers"
@@ -174,13 +173,11 @@ func (s Settings) Warnings() (warnings []string) {
 			"by creating an issue, attaching the new certificate and we will update Gluetun.")
 	}
 
-	// TODO remove in v4
-	if s.DNS.ServerAddress.Unmap().Compare(netip.AddrFrom4([4]byte{127, 0, 0, 1})) != 0 {
-		warnings = append(warnings, "DNS address is set to "+s.DNS.ServerAddress.String()+
-			" so the local forwarding DNS server will not be used."+ // xxx
-			" The default value changed to 127.0.0.1 so it uses the internal DNS server."+
-			" If this server fails to start, the IPv4 address of the first plaintext DNS server"+
-			" corresponding to the first DNS provider chosen is used.")
+	for _, upstreamAddress := range s.DNS.UpstreamPlainAddresses {
+		if upstreamAddress.Addr().IsPrivate() {
+			warnings = append(warnings, "DNS upstream address "+upstreamAddress.String()+" is private: "+
+				"DNS traffic might leak out of the VPN tunnel to that address.")
+		}
 	}
 
 	return warnings