So we've got one leak in res_nsend() in Linux, and a different one in
res_ninit() in Solaris libresolv.  res_ndestroy() in the BIND sources
looks like it does the right things with resources allocated by
res_ninit(), but neither Solaris nor Linux exports it.  All of these are
reasonably considered OS bugs, so what we have now (call res_ndestroy()
if we can find it) is probably the best we'll get unless we do
thread-specific caching, or caching in krb5_context, or mutex around
calls to the non-thread-safe resolver APIs.