diff --git a/infra/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/infra/ansible/roles/haproxy/templates/haproxy.cfg.j2
index 1ef37a7be..be59cd9b1 100644
--- a/infra/ansible/roles/haproxy/templates/haproxy.cfg.j2
+++ b/infra/ansible/roles/haproxy/templates/haproxy.cfg.j2
@@ -41,6 +41,28 @@ defaults
     timeout http-request 10s
     load-server-state-from-file global
 
+# -----------------------------------------------------------------------
+# DNS resolvers — Incus's managed bridges expose a built-in DNS
+# resolver on the gateway IP for the bridge's subnet (10.0.20.1 for
+# net-veza). Backend containers' .lxd hostnames resolve here.
+# init-addr last,libc,none on default-server lets HAProxy start
+# even if the backends don't exist yet ; servers go into MAINT
+# until the resolver returns an address (deploy_app.yml creates
+# them later, then `incus-resolver` task in HAProxy picks them up
+# automatically — no haproxy reload needed).
+# -----------------------------------------------------------------------
+resolvers veza_dns
+    nameserver incus_gw 10.0.20.1:53
+    accepted_payload_size 4096
+    resolve_retries 3
+    timeout resolve 1s
+    timeout retry 1s
+    hold valid 10s
+    hold nx 5s
+    hold timeout 5s
+    hold refused 5s
+    hold obsolete 30s
+
 # -----------------------------------------------------------------------
 # Stats endpoint — bound to loopback only ; the Prometheus haproxy
 # exporter sidecar scrapes it.
@@ -149,7 +171,7 @@ backend {{ env }}_backend_api
     option httpchk GET {{ veza_healthcheck_paths.backend | default('/api/v1/health') }}
     http-check expect status 200
     cookie {{ haproxy_sticky_cookie_name }}_{{ env }} insert indirect nocache httponly secure
-    default-server check inter {{ haproxy_health_check_interval_ms }} fall {{ haproxy_health_check_fall }} rise {{ haproxy_health_check_rise }} on-marked-down shutdown-sessions slowstart {{ haproxy_graceful_drain_seconds }}s
+    default-server check inter {{ haproxy_health_check_interval_ms }} fall {{ haproxy_health_check_fall }} rise {{ haproxy_health_check_rise }} on-marked-down shutdown-sessions slowstart {{ haproxy_graceful_drain_seconds }}s init-addr last,libc,none resolvers veza_dns
     server {{ env }}_backend_blue  {{ prefix }}backend-blue.{{ veza_incus_dns_suffix }}:{{ veza_backend_port }}  cookie {{ env }}_backend_blue  {{ '' if _active == 'blue' else 'backup' }}
     server {{ env }}_backend_green {{ prefix }}backend-green.{{ veza_incus_dns_suffix }}:{{ veza_backend_port }} cookie {{ env }}_backend_green {{ '' if _active == 'green' else 'backup' }}
 
@@ -160,7 +182,7 @@ backend {{ env }}_stream_pool
     option httpchk GET {{ veza_healthcheck_paths.stream | default('/health') }}
     http-check expect status 200
     timeout tunnel 1h
-    default-server check inter {{ haproxy_health_check_interval_ms }} fall {{ haproxy_health_check_fall }} rise {{ haproxy_health_check_rise }} on-marked-down shutdown-sessions slowstart {{ haproxy_graceful_drain_seconds }}s
+    default-server check inter {{ haproxy_health_check_interval_ms }} fall {{ haproxy_health_check_fall }} rise {{ haproxy_health_check_rise }} on-marked-down shutdown-sessions slowstart {{ haproxy_graceful_drain_seconds }}s init-addr last,libc,none resolvers veza_dns
     server {{ env }}_stream_blue  {{ prefix }}stream-blue.{{ veza_incus_dns_suffix }}:{{ veza_stream_port }}  {{ '' if _active == 'blue' else 'backup' }}
     server {{ env }}_stream_green {{ prefix }}stream-green.{{ veza_incus_dns_suffix }}:{{ veza_stream_port }} {{ '' if _active == 'green' else 'backup' }}
 
@@ -169,7 +191,7 @@ backend {{ env }}_web_pool
     balance roundrobin
     option httpchk GET {{ veza_healthcheck_paths.web | default('/') }}
     http-check expect status 200
-    default-server check inter {{ haproxy_health_check_interval_ms }} fall {{ haproxy_health_check_fall }} rise {{ haproxy_health_check_rise }} on-marked-down shutdown-sessions slowstart {{ haproxy_graceful_drain_seconds }}s
+    default-server check inter {{ haproxy_health_check_interval_ms }} fall {{ haproxy_health_check_fall }} rise {{ haproxy_health_check_rise }} on-marked-down shutdown-sessions slowstart {{ haproxy_graceful_drain_seconds }}s init-addr last,libc,none resolvers veza_dns
     server {{ env }}_web_blue  {{ prefix }}web-blue.{{ veza_incus_dns_suffix }}:{{ veza_web_port }}  {{ '' if _active == 'blue' else 'backup' }}
     server {{ env }}_web_green {{ prefix }}web-green.{{ veza_incus_dns_suffix }}:{{ veza_web_port }} {{ '' if _active == 'green' else 'backup' }}