Fix DNS resolution for VPN and private network configurations

[gursewak1997]

PR #167 introduced DNS filtering that excluded all private IP addresses (10.x, 172.16-31.x, 192.168.x, fc00::/7) assuming they would be unreachable from QEMU's slirp networking. However, this breaks VPN scenarios where private DNS servers are actually reachable.

This change removes the overly aggressive private IP filtering, now only filtering out localhost and link-local addresses. Private network DNS servers are allowed through since they may be reachable (e.g., via VPN or air-gapped networks). If they're actually unreachable, DNS will fail naturally, which is better than prematurely filtering them out.

Also downgraded the fallback warning from WARN to debug level since falling back to public DNS is a normal case, not an error condition.

Moving away from parsing DNS manually and letting libvirt handle networking would be cleaner long-term. This fix is a targeted solution for the immediate issue, but a future improvement could delegate more of the network configuration to the underlying infrastructure.

Assisted-by: Claude Code (Sonnet 4.5)

[gemini-code-assist]

Code Review

This pull request modifies the DNS server filtering logic in crates/kit/src/run_ephemeral.rs. Previously, the system filtered out private network IP addresses (IPv4 private ranges and IPv6 ULA) from the list of host DNS servers. The changes now allow these private addresses, with updated comments explaining that this improves compatibility for VPN and air-gapped environments where such DNS servers might be reachable. Additionally, the log level for the fallback message when no usable DNS servers are found has been changed from warn to debug, and its accompanying comments have been refined to clarify the conditions and potential limitations of this fallback.