hardening(proxy): resolve host to IP to check if it's local before connecting

!380 (merged) introduced a check for this, but it doesn't cover URL hostnames like my-pc-1.local and localhost. See !380 (comment 3069548)

I guess we need to use LookupIP, but since it's not a pure function, we'd also want timing attack protection, i.e. if the resolved IP turns out to be a local one, we need to wait a bit before sending the response so as to not give the client (and the broker) info about how long it took us to resolve the IP, which could leak info about whether such domain exists.

This should not have downsides since currently the proxy resolves the host to the IP anyway by further Dial() to the requested URL.

But this could become less important if !385 (closed) is merged, which would cover most of this issues cases, except for when the proxy operator has a private Snowflake server for some reason.