Require all detected IP families to match in SNI-DNS check

Previously the check returned OK if any resolved address matched
either the public IPv4 or IPv6. A matching AAAA could mask a
mismatched A record (and vice versa), which is a problem because
most client connectivity is still IPv4: a partial match would
silently pass the warning while DPI still blocks the proxy.

Now each detected IP family must appear in the DNS response; the
warning also reports per-family match status so operators can tell
which record is wrong.

internal/cli/run_proxy.go

 		return
 	}
 
+	v4Match := ourIP4 == nil
+	v6Match := ourIP6 == nil
+
 	for _, addr := range addresses {
-		if (ourIP4 != nil && addr.IP.String() == ourIP4.String()) ||
-			(ourIP6 != nil && addr.IP.String() == ourIP6.String()) {
-			return
+		if ourIP4 != nil && addr.IP.String() == ourIP4.String() {
+			v4Match = true
+		}
+
+		if ourIP6 != nil && addr.IP.String() == ourIP6.String() {
+			v6Match = true
 		}
 	}
 
+	if v4Match && v6Match {
+		return
+	}
+
 	resolved := make([]string, 0, len(addresses))
 	for _, addr := range addresses {
 		resolved = append(resolved, addr.IP.String())
 		our += ourIP6.String()
 	}
 
-	log.BindStr("hostname", host).
+	entry := log.BindStr("hostname", host).
 		BindStr("resolved", strings.Join(resolved, ", ")).
-		BindStr("public_ip", our).
-		Warning("SNI-DNS mismatch: secret hostname does not resolve to this server's public IP. " +
-			"DPI may detect and block the proxy. See 'mtg doctor' for details")
+		BindStr("public_ip", our)
+
+	if ourIP4 != nil {
+		entry = entry.BindStr("ipv4_match", fmt.Sprintf("%t", v4Match))
+	}
+
+	if ourIP6 != nil {
+		entry = entry.BindStr("ipv6_match", fmt.Sprintf("%t", v6Match))
+	}
+
+	entry.Warning("SNI-DNS mismatch: secret hostname does not resolve to this server's public IP. " +
+		"DPI may detect and block the proxy. See 'mtg doctor' for details")
 }
 
 func runProxy(conf *config.Config, version string) error { //nolint: funlen, cyclop