diff --git a/hieradata/nodes/ausyd1nxvm2005.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2005.main.unkin.net.yaml
index fbb4494..f873956 100644
--- a/hieradata/nodes/ausyd1nxvm2005.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2005.main.unkin.net.yaml
@@ -11,7 +11,7 @@ networking::interfaces:
     type: physical
     forwarding: true
     dhcp: true
-  loopback0:
+  anycast0:
     type: dummy
     ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
     netmask: 255.255.255.255
@@ -24,7 +24,7 @@ frrouting::ospfd_redistribute:
 frrouting::ospfd_interfaces:
   eth0:
     area: 0.0.0.0
-  loopback0:
+  anycast0:
     area: 0.0.0.0
 frrouting::daemons:
   ospfd: true
diff --git a/hieradata/nodes/ausyd1nxvm2006.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2006.main.unkin.net.yaml
index fbb4494..f873956 100644
--- a/hieradata/nodes/ausyd1nxvm2006.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2006.main.unkin.net.yaml
@@ -11,7 +11,7 @@ networking::interfaces:
     type: physical
     forwarding: true
     dhcp: true
-  loopback0:
+  anycast0:
     type: dummy
     ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
     netmask: 255.255.255.255
@@ -24,7 +24,7 @@ frrouting::ospfd_redistribute:
 frrouting::ospfd_interfaces:
   eth0:
     area: 0.0.0.0
-  loopback0:
+  anycast0:
     area: 0.0.0.0
 frrouting::daemons:
   ospfd: true
diff --git a/hieradata/nodes/ausyd1nxvm2007.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2007.main.unkin.net.yaml
index fbb4494..f873956 100644
--- a/hieradata/nodes/ausyd1nxvm2007.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2007.main.unkin.net.yaml
@@ -11,7 +11,7 @@ networking::interfaces:
     type: physical
     forwarding: true
     dhcp: true
-  loopback0:
+  anycast0:
     type: dummy
     ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
     netmask: 255.255.255.255
@@ -24,7 +24,7 @@ frrouting::ospfd_redistribute:
 frrouting::ospfd_interfaces:
   eth0:
     area: 0.0.0.0
-  loopback0:
+  anycast0:
     area: 0.0.0.0
 frrouting::daemons:
   ospfd: true
diff --git a/hieradata/nodes/ausyd1nxvm2008.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2008.main.unkin.net.yaml
index fbb4494..f873956 100644
--- a/hieradata/nodes/ausyd1nxvm2008.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2008.main.unkin.net.yaml
@@ -11,7 +11,7 @@ networking::interfaces:
     type: physical
     forwarding: true
     dhcp: true
-  loopback0:
+  anycast0:
     type: dummy
     ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
     netmask: 255.255.255.255
@@ -24,7 +24,7 @@ frrouting::ospfd_redistribute:
 frrouting::ospfd_interfaces:
   eth0:
     area: 0.0.0.0
-  loopback0:
+  anycast0:
     area: 0.0.0.0
 frrouting::daemons:
   ospfd: true
diff --git a/hieradata/nodes/ausyd1nxvm2009.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2009.main.unkin.net.yaml
index fbb4494..f873956 100644
--- a/hieradata/nodes/ausyd1nxvm2009.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2009.main.unkin.net.yaml
@@ -11,7 +11,7 @@ networking::interfaces:
     type: physical
     forwarding: true
     dhcp: true
-  loopback0:
+  anycast0:
     type: dummy
     ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
     netmask: 255.255.255.255
@@ -24,7 +24,7 @@ frrouting::ospfd_redistribute:
 frrouting::ospfd_interfaces:
   eth0:
     area: 0.0.0.0
-  loopback0:
+  anycast0:
     area: 0.0.0.0
 frrouting::daemons:
   ospfd: true
diff --git a/hieradata/nodes/ausyd1nxvm2029.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2029.main.unkin.net.yaml
index 00d319e..ad02274 100644
--- a/hieradata/nodes/ausyd1nxvm2029.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2029.main.unkin.net.yaml
@@ -11,7 +11,7 @@ networking::interfaces:
     type: physical
     forwarding: true
     dhcp: true
-  loopback0:
+  anycast0:
     type: dummy
     ipaddress: "%{hiera('dns_master_anycast_ip')}"
     netmask: 255.255.255.255
@@ -24,7 +24,7 @@ frrouting::ospfd_redistribute:
 frrouting::ospfd_interfaces:
   eth0:
     area: 0.0.0.0
-  loopback0:
+  anycast0:
     area: 0.0.0.0
 frrouting::daemons:
   ospfd: true
diff --git a/hieradata/nodes/ausyd1nxvm2030.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2030.main.unkin.net.yaml
index 00d319e..ad02274 100644
--- a/hieradata/nodes/ausyd1nxvm2030.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2030.main.unkin.net.yaml
@@ -11,7 +11,7 @@ networking::interfaces:
     type: physical
     forwarding: true
     dhcp: true
-  loopback0:
+  anycast0:
     type: dummy
     ipaddress: "%{hiera('dns_master_anycast_ip')}"
     netmask: 255.255.255.255
@@ -24,7 +24,7 @@ frrouting::ospfd_redistribute:
 frrouting::ospfd_interfaces:
   eth0:
     area: 0.0.0.0
-  loopback0:
+  anycast0:
     area: 0.0.0.0
 frrouting::daemons:
   ospfd: true
diff --git a/hieradata/nodes/ausyd1nxvm2031.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2031.main.unkin.net.yaml
index 00d319e..ad02274 100644
--- a/hieradata/nodes/ausyd1nxvm2031.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2031.main.unkin.net.yaml
@@ -11,7 +11,7 @@ networking::interfaces:
     type: physical
     forwarding: true
     dhcp: true
-  loopback0:
+  anycast0:
     type: dummy
     ipaddress: "%{hiera('dns_master_anycast_ip')}"
     netmask: 255.255.255.255
@@ -24,7 +24,7 @@ frrouting::ospfd_redistribute:
 frrouting::ospfd_interfaces:
   eth0:
     area: 0.0.0.0
-  loopback0:
+  anycast0:
     area: 0.0.0.0
 frrouting::daemons:
   ospfd: true
diff --git a/hieradata/nodes/ausyd1nxvm2032.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2032.main.unkin.net.yaml
index 92f6c57..69fc05d 100644
--- a/hieradata/nodes/ausyd1nxvm2032.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2032.main.unkin.net.yaml
@@ -11,7 +11,7 @@ networking::interfaces:
     type: physical
     forwarding: true
     dhcp: true
-  loopback0:
+  anycast0:
     type: dummy
     ipaddress: "%{hiera('dns_resolver_anycast_ip')}"
     netmask: 255.255.255.255
@@ -24,7 +24,7 @@ frrouting::ospfd_redistribute:
 frrouting::ospfd_interfaces:
   eth0:
     area: 0.0.0.0
-  loopback0:
+  anycast0:
     area: 0.0.0.0
 frrouting::daemons:
   ospfd: true
diff --git a/hieradata/nodes/ausyd1nxvm2033.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2033.main.unkin.net.yaml
index 92f6c57..69fc05d 100644
--- a/hieradata/nodes/ausyd1nxvm2033.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2033.main.unkin.net.yaml
@@ -11,7 +11,7 @@ networking::interfaces:
     type: physical
     forwarding: true
     dhcp: true
-  loopback0:
+  anycast0:
     type: dummy
     ipaddress: "%{hiera('dns_resolver_anycast_ip')}"
     netmask: 255.255.255.255
@@ -24,7 +24,7 @@ frrouting::ospfd_redistribute:
 frrouting::ospfd_interfaces:
   eth0:
     area: 0.0.0.0
-  loopback0:
+  anycast0:
     area: 0.0.0.0
 frrouting::daemons:
   ospfd: true
diff --git a/hieradata/nodes/ausyd1nxvm2034.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2034.main.unkin.net.yaml
index 92f6c57..69fc05d 100644
--- a/hieradata/nodes/ausyd1nxvm2034.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2034.main.unkin.net.yaml
@@ -11,7 +11,7 @@ networking::interfaces:
     type: physical
     forwarding: true
     dhcp: true
-  loopback0:
+  anycast0:
     type: dummy
     ipaddress: "%{hiera('dns_resolver_anycast_ip')}"
     netmask: 255.255.255.255
@@ -24,7 +24,7 @@ frrouting::ospfd_redistribute:
 frrouting::ospfd_interfaces:
   eth0:
     area: 0.0.0.0
-  loopback0:
+  anycast0:
     area: 0.0.0.0
 frrouting::daemons:
   ospfd: true
diff --git a/hieradata/roles/infra/incus/node.yaml b/hieradata/roles/infra/incus/node.yaml
index 9b761a7..1fbe7ba 100644
--- a/hieradata/roles/infra/incus/node.yaml
+++ b/hieradata/roles/infra/incus/node.yaml
@@ -13,10 +13,18 @@ profiles::pki::vault::alt_names:
   - incus.query.consul
   - "incus.service.%{facts.country}-%{facts.region}.consul"
 
+profiles::pki::vault::ip_sans:
+  - "%{hiera('networking_loopback0_ip')}"
+  - "%{hiera('networking_loopback1_ip')}"
+  - "%{hiera('networking_loopback2_ip')}"
+
 profiles::ssh::sign::principals:
   - incus.service.consul
   - incus.query.consul
   - "incus.service.%{facts.country}-%{facts.region}.consul"
+  - "%{hiera('networking_loopback0_ip')}"
+  - "%{hiera('networking_loopback1_ip')}"
+  - "%{hiera('networking_loopback2_ip')}"
 
 # configure consul service
 consul::services:
@@ -65,10 +73,12 @@ profiles::yum::global::repos:
     gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
     mirrorlist: absent
 
+# dns
+profiles::dns::base::primary_interface: loopback0
+
 # networking
 systemd::manage_networkd: true
 systemd::manage_all_network_files: true
-#networking::use_networkd: true
 networking::interfaces:
   enp2s0:
     type: physical
diff --git a/site/profiles/manifests/dns/base.pp b/site/profiles/manifests/dns/base.pp
index 5542515..8d10a85 100644
--- a/site/profiles/manifests/dns/base.pp
+++ b/site/profiles/manifests/dns/base.pp
@@ -7,6 +7,7 @@ class profiles::dns::base (
     'region',
     'country'
   ]]      $use_ns           = undef,
+  String $primary_interface = $facts['networking']['primary'],
   Optional[String] $ns_role = undef,
 ){
 
@@ -43,6 +44,24 @@ class profiles::dns::base (
   }
 
   # export dns records for client
-  profiles::dns::client {"${facts['networking']['fqdn']}-default":}
+  $facts['networking']['interfaces'].each | $interface, $data | {
 
+    # exclude those without ipv4 address, lo and anycast addresses
+    if $data['ip'] and $interface != 'lo' and $interface !~ /^anycast[0-9]$/ {
+
+      # use defaults for the primary_interface
+      if $interface == $primary_interface {
+        profiles::dns::client {"${facts['networking']['fqdn']}-${interface}":
+          interface => $interface,
+        }
+
+      # update secondary interfaces
+      }else{
+        profiles::dns::client {"${facts['networking']['fqdn']}-${interface}":
+          interface => $interface,
+          hostname  => "${facts['networking']['hostname']}-${interface}",
+        }
+      }
+    }
+  }
 }
diff --git a/site/profiles/manifests/dns/client.pp b/site/profiles/manifests/dns/client.pp
index 3dca748..9e2d637 100644
--- a/site/profiles/manifests/dns/client.pp
+++ b/site/profiles/manifests/dns/client.pp
@@ -1,30 +1,31 @@
 # profiles::dns::client
 define profiles::dns::client (
-  Boolean   $forward    = true,
-  Boolean   $reverse    = true,
-  Integer   $order      = 10,
+  Boolean   $forward      = true,
+  Boolean   $reverse      = true,
+  Integer   $order        = 10,
+  String    $interface    = $facts['networking']['primary'],
+  Stdlib::Fqdn $hostname  = $facts['networking']['hostname'],
+  Stdlib::Fqdn $domain    = $facts['networking']['domain'],
 ){
 
-  $intf = $facts['networking']['primary']
-  $fqdn = $facts['networking']['fqdn']
-  $last_octet = regsubst($::facts['networking']['ip'], '^.*\.', '')
+  $last_octet = regsubst($facts['networking']['interfaces'][$interface]['ip'], '^.*\.', '')
 
   if $forward {
-    profiles::dns::record { "${fqdn}_${intf}_A":
-      value  => $::facts['networking']['ip'],
+    profiles::dns::record { "${title}_A":
+      value  => $facts['networking']['interfaces'][$interface]['ip'],
       type   => 'A',
-      record => $::facts['networking']['hostname'],
-      zone   => $::facts['networking']['domain'],
+      record => $hostname,
+      zone   => $domain,
       order  => $order,
     }
   }
 
   if $reverse {
-    profiles::dns::record { "${fqdn}_${intf}_PTR":
-      value  => "${::facts['networking']['fqdn']}.",
+    profiles::dns::record { "${title}_PTR":
+      value  => "${hostname}.${domain}.",
       type   => 'PTR',
       record => $last_octet,
-      zone   => $::facts['arpa'][$intf]['zone'],
+      zone   => $facts['arpa'][$interface]['zone'],
       order  => $order,
     }
   }