docs: migrate MikroTik DNS from Pi-hole to AdGuard Home

- Replaced Pi-hole container with AdGuard Home (172.17.0.5)
- Configured native DoH/DoT/DoQ with TLS certificates
- Updated DNS architecture diagram
- Updated NAT rules documentation
- Added encrypted DNS endpoints

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/06-CHANGELOG.md

@@ -1,3 +1,37 @@
+## 2026-01-22 - MikroTik DNS Migration to AdGuard Home
+
+### Pi-hole Removal
+- [CONTAINER] Removed Pi-hole container from MikroTik (was 172.17.0.2)
+- [STORAGE] Freed 91.2 MiB internal flash storage (was full at 128MB)
+- [CLEANUP] Removed Pi-hole mounts, envs, veth interface, and data directories
+
+### AdGuard Home Installation
+- [CONTAINER] Deployed adguardhome:latest on MikroTik
+- [IP] Assigned 172.17.0.5 (veth-adguard interface)
+- [STORAGE] Data stored on USB (usb1/adguardhome)
+- [VERSION] AdGuard Home v0.107.71
+
+### Encrypted DNS Configuration
+- [TLS] Configured Let's Encrypt wildcard certificate (*.xtrm-lab.org)
+- [DOH] DNS-over-HTTPS enabled on port 443
+- [DOT] DNS-over-TLS enabled on port 853
+- [DOQ] DNS-over-QUIC enabled on port 8853
+- [SERVER] Server name: dns.xtrm-lab.org
+- [CERT] Certificate expires: 2026-04-02
+
+### NAT Rules Updated
+- [NAT] Rule 7: DNS Force now points to 172.17.0.5 (AdGuard Home)
+- [NAT] Rule 9: DNS TCP Force now points to 172.17.0.5
+- [NAT] Rule 24: AdGuard Home Web UI (192.168.31.1:80 → 172.17.0.5:80)
+- [NAT] DoT/DoQ rules to be added for external access
+
+### Benefits
+- [FEATURE] Native DoH/DoT/DoQ server support (Pi-hole required extra containers)
+- [RESOURCE] Reduced container count (no need for separate DoH-Server)
+- [STORAGE] Better storage utilization (USB instead of internal flash)
+
+---
+
 ## 2026-01-21 - Rclone & Cloud Backup Setup
 
 ### Rclone Installation & Configuration