diff --git a/SCRATCH/internal-dns-zone.md b/SCRATCH/internal-dns-zone.md
new file mode 100644
index 0000000..5e0fe32
--- /dev/null
+++ b/SCRATCH/internal-dns-zone.md
@@ -0,0 +1,41 @@
+# Internal DNS Zone — internal.zlh
+
+Zone managed by Technitium on zlh-dns (9010 / 10.60.0.14).
+This zone is internal only — not resolvable publicly.
+
+## Zone: internal.zlh
+
+### CORE_LAN (10.60.0.0/24)
+| Hostname | IP | Service |
+|----------|----|---------|
+| api.internal.zlh | 10.60.0.18 | zpac-api (9020) |
+| portal.internal.zlh | 10.60.0.19 | zpac-portal (9021) |
+| artifacts.internal.zlh | 10.60.0.17 | zlh-artifacts (9014) |
+| proxy.internal.zlh | 10.60.0.16 | zlh-proxy / Caddy (9011) |
+| dns.internal.zlh | 10.60.0.14 | zlh-dns / Technitium (9010) |
+| monitor.internal.zlh | 10.60.0.25 | zlh-monitor (9016) |
+
+### ZPACK_LAN (10.70.0.0/24)
+| Hostname | IP | Service |
+|----------|----|---------|
+| velocity.internal.zlh | 10.70.0.10 | zpack-velocity (9015) |
+| zpack-proxy.internal.zlh | 10.70.0.11 | zlh-zpack-proxy / Traefik (9012) |
+
+### MGMT_LAN (172.60.0.0/24)
+| Hostname | IP | Service |
+|----------|----|---------|
+| proxmox.internal.zlh | 172.60.0.6 | Proxmox host (zlh1) |
+| pbs.internal.zlh | 172.60.0.x | zlh-back / PBS (9017) — confirm IP |
+
+## Future zones (when needed)
+- `game.zlh` — game server containers
+- `dev.zlh` — dev containers
+
+## Config files to update once zone is live
+- zpac-api .env — replace all hardcoded IPs with internal.zlh hostnames
+- zpac-portal .env.local — NEXT_PUBLIC_API_BASE_URL=http://api.internal.zlh:4000
+- zlh-agent — ZLH_ARTIFACT_BASE_URL=http://artifacts.internal.zlh:8080
+- Caddy 9011 Caddyfile — reverse_proxy targets
+- Traefik 9012 dynamic config — service URLs
+- Proxmox host DNS setting — point to 10.60.0.14
+- All LXC DNS settings in Proxmox UI — point to 10.60.0.14