fix: route buildkit dns through host's systemd-resolved cache

[pbardea]

Summary

• BuildKit on Blacksmith runners currently hardcodes public DNS servers (8.8.8.8, 1.1.1.1, etc.) in buildkitd.toml, bypassing the host's systemd-resolved DNS cache
• This causes DNS cache misses and EAI_AGAIN/ETIMEOUT errors during parallel Docker builds with heavy DNS traffic (e.g. pnpm install in monorepos)
• This PR configures systemd-resolved to listen on the host's routable IP (not just loopback 127.0.0.53), then injects that IP into buildkitd.toml's [dns] section
• Build containers on any network mode (host, bridge, custom) can now reach the host's DNS cache, matching Docker's built-in behavior for the docker-container driver
• Public DNS servers are kept as fallback if the routable IP can't be determined

See: moby/buildkit#5009

Made with Cursor

---

Note

Medium Risk
Touches host-level DNS configuration and BuildKit daemon startup behavior; misconfiguration could disrupt DNS resolution on runners or in builds.

Overview
BuildKit DNS is reworked to prefer the host’s systemd-resolved cache instead of hardcoded public resolvers.

startBuildkitd now (1) installs a systemd-resolved drop-in to listen on a routable interface (DNSStubListenerExtra=0.0.0.0) and restarts the service, and (2) writes buildkitd.toml with a [dns] nameservers list set to the host’s primary routable IP (derived via ip route get), falling back to public DNS only when the host IP can’t be determined.

^{Written by Cursor Bugbot for commit 5d82af7. This will update automatically on new commits. Configure here.}

[pbardea]

@codesmith fix ci

[blacksmith-staging]

I'm now helping with this PR. Give me a moment to analyze the code and I'll respond shortly.

[linear]

BLA-3250 DNS resolution errors/TCP timeouts causing job failures for Bastion

[blacksmith-staging]

@pbardea

fix ci

Pushed the fix. All 4 CI failures (Build and Test, Lint, Verify Build Output, Test Action) were caused by the same issue: package.json had a packageManager: "pnpm@10.29.3" field (likely auto-added by Cursor) that conflicted with the version: 8.15.9 specified in all CI workflow files. pnpm/action-setup@v4 rejects this mismatch.

Removed the packageManager field to restore package.json to match main. CI should pass now.

[pbardea]

With this change DNS cache utilization went from 2% -> 99% on the parallel pnpm stress test.

Before: https://github.com/useblacksmith/test-workflows/actions/runs/21959552170/job/63433002178?pr=20#step:8:101
After: https://github.com/useblacksmith/test-workflows/actions/runs/21959552170/job/63433002188?pr=20#step:9:118

[pbardea]

ubuntu@paul-dev-131:~$ ip route get 1.1.1.1
1.1.1.1 via 131.153.225.122 dev bond0.65 src 131.153.225.123 uid 1000
    cache
    ```
    
    for context