Fix/block cloudflare ech type65

* fix(dns): block Cloudflare TYPE65/HTTPS records to prevent ECH failures

Chrome and Safari query Cloudflare-published HTTPS (TYPE65) records for
proxied domains, which include ECH parameters tied to Cloudflare's edge.
When PiHole resolves these domains to local Caddy IPs instead of
Cloudflare, browsers attempt ECH against a server that doesn't support it,
causing ERR_SSL_PROTOCOL_ERROR. Firefox handles ECH retry gracefully;
Chrome and Safari fail hard.

Fix: add local-zone 'static' blocks in Unbound for geeksbsmrt.com and
smrtgeekdevs.com. Unbound returns SERVFAIL for TYPE65 since no local-data
is defined for that type, while PiHole's address= directives continue to
serve A records for all subdomains.

Also adds Access-Control-Allow-Private-Network header to Caddy's external
snippet as a defensive measure for Chrome LNA (Private Network Access)
restrictions.

Affected: docker/unbound/unbound.conf (new), docker/caddy/Caddyfile

* fix(dns): remove hardcoded IPs from unbound local-zone config

local-data A record entries were redundant -- PiHole handles all A record
lookups for these zones via its own address= directives and never forwards
them to Unbound. Only TYPE65 (HTTPS/ECH) queries reach Unbound for these
domains, so local-zone: static alone is sufficient to return NXDOMAIN.

Removing local-data eliminates the hardcoded internal IP scheme from the
repo while preserving the fix.

Author: geeksbsmrt

docker/caddy/Caddyfile

@@ -74,6 +74,7 @@ uptime.home {
         Referrer-Policy "strict-origin-when-cross-origin"
         Cache-Control "public, max-age=15, must-revalidate"
         Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(self), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(*), speaker-selection=(), usb=(), xr-spatial-tracking=()"
+        Access-Control-Allow-Private-Network "true"
         [defer]
     }
     file_server