Disable DNS over TLS for NordVPN compatibility

[Copilot]

DNS over TLS (DoT) in the Cloudflare for Families configuration is incompatible with NordVPN, causing name resolution failures when the VPN is active. This change disables DoT while maintaining DNS filtering protection.

Changes Made

• Changed DNSOverTLS=yes to DNSOverTLS=no in the systemd-resolved configuration
• Updated changelog with security rationale and threat model assessment

Impact

This change ensures reliable DNS resolution when using NordVPN while preserving the security benefits:

• Maintains DNS Filtering: Cloudflare for Families DNS servers (1.1.1.3/1.0.0.3) continue to provide malware and adult content blocking
• Ensures VPN Compatibility: Name resolution works properly when NordVPN is connected
• Preserves Security: Users still benefit from NordVPN's threat protection and encrypted DNS through the VPN tunnel

The trade-off is acceptable since the DNS encryption is handled by NordVPN when connected, and the filtering protection remains active.

Fixes #47.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[Copilot]

@brabster 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.