DNS topology: AdGuard removed, Technitium authoritative + DoT + ad blocking

- Remove AdGuard Home from all service catalogs, deployment phases,
  persistence tables, and network architecture docs
- Update Technitium notes: authoritative .ai.home zone, recursive resolver,
  DoT forwarder to Cloudflare (tls://1.1.1.1), built-in ad blocking
- Resolve open questions #2 (Technitium upstream) and #3 (AdGuard layout)
- Add dns-topology.md: complete DNS architecture diagram, zone details,
  client assignments, Tailscale integration, troubleshooting table,
  migration history (AdGuard deployed → paused → removed)

PRDs/fleet-infrastructure-recovery.md

@@ -16,7 +16,7 @@ Six infrastructure issues are blocking fleet observability, container management
 |---|-----------|------------|
 | 1 | Portainer | Bobby can log in, see all stacks/containers |
 | 2 | Technitium | API responds on port 5380, DNS records queryable |
-| 3 | AdGuard | Container stopped, Homepage shows no AdGuard tile |
+|| 3 | ~~AdGuard~~ | ~~Container stopped, Homepage shows no AdGuard tile~~ | ~~Removed~~ | Technitium handles ad blocking |
 | 4 | Traefik TLS | HTTPS works on `*.ai.home` with valid cert |
 | 5 | Beszel | Every node + every container monitored in dashboard |
 | 6 | Prometheus | 0 targets down, alert pipeline active |