Add fallback DNS resolvers to all nodes

All nodes now list 1.1.1.1 and 8.8.8.8 as fallback nameservers after
MCNS. When MCNS is down, internal names (.svc.mcp.metacircular.net)
fail but external DNS (google.com, github.com, etc.) keeps working.

Lesson from 2026-04-03 incident: without fallbacks, MCNS failure
caused total DNS blackout including external services, forcing
Tailscale to be disabled to restore any DNS resolution.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

hw/vade/default.nix

@@ -44,12 +44,16 @@
   # which hijacks all DNS queries through systemd-resolved.
   services.tailscale.extraUpFlags = ["--accept-dns=false"];
 
-  # Route internal Metacircular zones to rift's CoreDNS (MCNS precursor).
-  # Uses systemd-resolved domain routing so rift handles only *.mcp.metacircular.net
-  # while DHCP/Tailscale DNS handles everything else.
+  # DNS: MCNS for internal zones, public resolvers as fallback.
+  # When MCNS is down, internal names (.svc.mcp.metacircular.net) fail
+  # but external DNS keeps working via 1.1.1.1/8.8.8.8.
+  # Lesson from 2026-04-03 incident: without fallbacks, MCNS failure
+  # causes total DNS blackout including external services.
   networking.nameservers = [
-    "192.168.88.181"
-    "100.95.252.120"
+    "192.168.88.181"    # MCNS (LAN)
+    "100.95.252.120"    # MCNS (Tailnet)
+    "1.1.1.1"           # Cloudflare (fallback)
+    "8.8.8.8"           # Google (fallback)
   ];
   services.resolved.domains = [
     "~mcp.metacircular.net"