fix: address code review findings for DNS management

- CRITICAL: Change DNS zones endpoint from GET to POST to avoid
  leaking API token in URL query parameters
- HIGH: Add sync.RWMutex to protect dnsProvider field in Server,
  Deployer, and proxy Manager against concurrent read/write races
- HIGH: Capture old DNS provider reference synchronously before
  launching background cleanup goroutine
- HIGH: Use getDNS()/getDNSProviderLocked() accessors instead of
  direct field reads in all DNS operations

internal/api/router.go

@@ -3,6 +3,7 @@ package api
 import (
 	"context"
 	"log/slog"
+	"sync"
 
 	"github.com/go-chi/chi/v5"
 
@@ -36,7 +37,8 @@ type Server struct {
 	staleScanner *stale.Scanner
 	proxyManager *proxy.Manager
 
-	dnsProvider        dns.Provider
+	dnsProviderMu        sync.RWMutex
+	dnsProvider          dns.Provider
 	onDNSProviderChanged DNSProviderChangedFunc
 }
 
@@ -86,9 +88,18 @@ func (s *Server) SetProxyManager(pm *proxy.Manager) {
 
 // SetDNSProvider sets the current DNS provider on the server.
 func (s *Server) SetDNSProvider(provider dns.Provider) {
+	s.dnsProviderMu.Lock()
+	defer s.dnsProviderMu.Unlock()
 	s.dnsProvider = provider
 }
 
+// getDNSProviderLocked returns the current DNS provider under read lock.
+func (s *Server) getDNSProviderLocked() dns.Provider {
+	s.dnsProviderMu.RLock()
+	defer s.dnsProviderMu.RUnlock()
+	return s.dnsProvider
+}
+
 // SetDNSProviderChangedCallback sets the callback for when DNS settings change.
 func (s *Server) SetDNSProviderChangedCallback(fn DNSProviderChangedFunc) {
 	s.onDNSProviderChanged = fn
@@ -272,7 +283,7 @@ func (s *Server) Router() chi.Router {
 
 				// DNS management endpoints.
 				r.Post("/settings/dns/test", s.testDNSConnection)
-				r.Get("/settings/dns/zones", s.listDNSZones)
+				r.Post("/settings/dns/zones", s.listDNSZones)
 				r.Get("/dns/records", s.listDNSRecords)
 				r.Post("/dns/sync", s.syncDNSRecords)
 				r.Delete("/dns/records/{fqdn}", s.deleteDNSRecord)