In case of TCP this is not enough to do net.Dial + setsockopt(SO_MARK), as in
this case TCP SYN will have a wrong identity, e.g.:

    Policy verdict log: flow 0x7a95a133 local EP ID 393, remote ID 14616, proto 6, egress, action redirect, match L3-L4, 10.244.1.122:42437 -> 10.244.1.120:53 tcp SYN
    Policy verdict log: flow 0x907eaa19 local EP ID 458, remote ID host, proto 6, ingress, action allow, match L3-Only, 172.19.0.2:56276 -> 10.244.1.120:53 tcp SYN

Here the second message has wrong identity (host). We still allow the traffic,
as the origin is local host and the coredns is running on the same host, but
this will not work for a remote host if ingress policy doesn't allow
remote-node identity.) To fix this we need to pass a Control parameter to Dial,
so that setsockopt(2) is called before the connect(2). With such a change we
now see the correct identity in case of TCP:

    Policy verdict log: flow 0xeb7902a9 local EP ID 393, remote ID 14616, proto 6, egress, action redirect, match L3-L4, 10.244.1.122:36661 -> 10.244.1.120:53 tcp SYN
    Policy verdict log: flow 0x4efbc5a0 local EP ID 458, remote ID 41903, proto 6, ingress, action allow, match L3-L4, 172.19.0.2:40508 -> 10.244.1.120:53 tcp SYN

Fixes: 44c1def67854 ("fqdn: dnsproxy: forward the original security identity")

Signed-off-by: Anton Protopopov <aspsk@isovalent.com>