Reverse proxy amendments 2 (#616)

* Reverse Proxy Doc Amendments

- update custom domains page to more closely reflect wording in the UI, added screenshots
- add warning to index page that reverse proxy feature does not currently work with pre-shared keys/rosenpass

* Update navigation order (move reverse proxy below network routes)

* update migration guide to mention the need for TWO cname records (proxy and proxy wildcard)

src/pages/selfhosted/migration/enable-reverse-proxy.mdx

@@ -150,15 +150,16 @@ The Traefik labels configure a **TCP router** that:
 The `HostSNI(*)` rule acts as a catch-all for any domain not matched by the existing NetBird HTTP routers. The `priority=1` ensures this TCP router only handles traffic that no other router claims. Any domain pointing to your server that isn't `netbird.example.com` will be forwarded to the proxy.
 </Note>
 
-### Step 4: Set up wildcard DNS
+### Step 4: Set up DNS records
 
-Create a wildcard DNS record pointing to the server running your NetBird stack:
+Create two DNS records pointing to the server running your NetBird stack — one for the base proxy domain and one wildcard for service subdomains:
 
-```
-*.proxy.example.com  →  <your-server-IP>
-```
+| Type | Name | Content |
+|------|------|---------|
+| `CNAME` | `proxy.example.com` | `netbird.example.com` |
+| `CNAME` | `*.proxy.example.com` | `netbird.example.com` |
 
-This ensures that all service subdomains (e.g., `myapp.proxy.example.com`, `dashboard.proxy.example.com`) resolve to your server where Traefik forwards them to the proxy container.
+The base domain record is required because a wildcard DNS record does not cover the bare domain itself. The wildcard record ensures that all service subdomains (e.g., `myapp.proxy.example.com`, `dashboard.proxy.example.com`) resolve to your server where Traefik forwards them to the proxy container.
 
 ### Step 5: Apply changes