block direct connections to .onion domains (RFC7687)

block direct connections to .onion domains (RFC7687)

Doing a direct connect to an .onion address (if you don't happen to use
it as a local domain, which you shouldn't) is bound to fail and does
leak the information that you do use Tor and which hidden service you
wanted to connect to to a DNS server. Worse, if the DNS is poisoned and
actually resolves tricking a user into believing the setup would work
correctly…

This does block also the usage of wrappers like torsocks with apt, but
with native support available and advertised in the error message this
shouldn't really be an issue.

Inspired-by: https://bugzilla.mozilla.org/show_bug.cgi?id=1228457