DNS topology: AdGuard removed, Technitium authoritative + DoT + ad blocking

- Remove AdGuard Home from all service catalogs, deployment phases,
  persistence tables, and network architecture docs
- Update Technitium notes: authoritative .ai.home zone, recursive resolver,
  DoT forwarder to Cloudflare (tls://1.1.1.1), built-in ad blocking
- Resolve open questions #2 (Technitium upstream) and #3 (AdGuard layout)
- Add dns-topology.md: complete DNS architecture diagram, zone details,
  client assignments, Tailscale integration, troubleshooting table,
  migration history (AdGuard deployed → paused → removed)

06-data-and-persistence.md

@@ -17,7 +17,7 @@ Every service with persistent state uses **bind mounts to on-node directories**.
 |---------|-----------|---------------|---------------|
 | **Traefik** | `/opt/iron-legion/traefik/config/` `/opt/iron-legion/traefik/certs/` | MK7 (daily rsync) | < 50 MB |
 | **Technitium DNS** | `/opt/iron-legion/technitium/config/` | MK7 | < 10 MB |
-| **AdGuard Home** | `/opt/iron-legion/adguard/work/` `/opt/iron-legion/adguard/conf/` | MK7 | < 500 MB |
+| **~~AdGuard Home~~** | ~~`/opt/iron-legion/adguard/work/`~~ ~~`/opt/iron-legion/adguard/conf/`~~ | ~~Removed~~ | ~~N/A~~ |
 | **Prometheus** | `/opt/iron-legion/prometheus/data/` | MK7 (retention: 15d local, 90d backup) | 5–20 GB |
 | **Grafana** | `/opt/iron-legion/grafana/data/` | MK7 | < 500 MB |
 | **Beszel** | `/opt/iron-legion/beszel/data/` | MK7 | < 1 GB |