Although Unbound works with more consistency than systemd-resolved, several VPNs have a hard dependency on it, so they consistently fail (see #1383). This PR allows users to switch between DNS resolvers in ujust dns-selector.

Changelog:

• Add limited systemd-resolved support to ujust dns-selector, for resolver switching without exposing incompatible options.
  • resolved is typically only used when runtime VPN DNS configuration is needed, so global resolved configuration is not supported.
  • resolved does not support DNSSEC, so this is disabled.
• Disable the NetworkManager VPN dispatcher when systemd-resolved is in use.
  • The dispatcher fixes many VPNs, but gives mixed results with some third-party clients.
  • Keeping the dispatcher means more VPNs work without resolved so can benefit from DNSSEC and extended hardening.
  • In future, the dispatcher may allow for use of per-connection DNS settings with a secure default profile.
• Robustness: systemd service restarts are re-attempted, more sanity-checking and local testing.
• Maintainability: Google-style docstrings, some refactoring.

Note: no changes have been made to the audit. ujust dns-selector status is backwards-compatible, so no changes were needed. Currently, with systemd-resolved enabled, it returns FAIL for missing DNSSEC.

Not included in this PR:

• DNS integration testing? (see ujust dns-selector --help).