DNS topology: AdGuard removed, Technitium authoritative + DoT + ad blocking

- Remove AdGuard Home from all service catalogs, deployment phases,
  persistence tables, and network architecture docs
- Update Technitium notes: authoritative .ai.home zone, recursive resolver,
  DoT forwarder to Cloudflare (tls://1.1.1.1), built-in ad blocking
- Resolve open questions #2 (Technitium upstream) and #3 (AdGuard layout)
- Add dns-topology.md: complete DNS architecture diagram, zone details,
  client assignments, Tailscale integration, troubleshooting table,
  migration history (AdGuard deployed → paused → removed)

08-deployment-phases.md

@@ -6,7 +6,8 @@
 | Order | Service | Target Node | Why First | Dependencies |
 |-------|---------|-------------|-----------|--------------|
 | 1 | **Technitium DNS** | MK7 | Name resolution for internal services | None |
-| 2 | **AdGuard Home** | MK7 | Recursive DNS + ad-block | Technitium (via conditional forwarding) |
+| 2 | **Technitium DNS** | MK7 | Authoritative + recursive + ad-block | N/A — single service |
+| ~~AdGuard Home~~ | ~~Removed~~ | ~~Technitium replaces AdGuard~~ |
 | 3 | **Traefik** | MK7 | Edge router for all HTTP ingress | DNS (needs `*.labs.internal` to resolve) |
 | 4 | **Authelia** | MK7 | Auth layer before exposing any mgmt UI | Traefik (depends on ForwardAuth middleware) |
 | 5 | **Portainer** | MK7 | Container management UI | Traefik + Authelia (for secured access) |