diff --git a/INFRA.md b/INFRA.md
index e39806f..7d622ca 100644
--- a/INFRA.md
+++ b/INFRA.md
@@ -428,7 +428,8 @@ echo '<read-write-do-token>' > ~/.vault/do_pat_cocotte && chmod 600 ~/.vault/do_
 
 # 2. Forge (one-time human push of orphan snapshot to the private forge — agent exfil gate)
 ./run forge:up
-./run forge:dns                 # then http://ctforge:3000
+net sync                        # or ./run forge:dns — installs ctforge (and mcforge) via net-tools DX layer
+# then http://ctforge:3000 (and mcforge) are live; `net sync` keeps them after any future forge:up
 
 # 3. Golden image (once; rebuild when toolchain or base lock changes)
 export DIGITALOCEAN_TOKEN=$(cat ~/.vault/do_pat_cocotte)
diff --git a/docs/CLOUD_DX_HANDOFF.md b/docs/CLOUD_DX_HANDOFF.md
index 6920330..854a0d7 100644
--- a/docs/CLOUD_DX_HANDOFF.md
+++ b/docs/CLOUD_DX_HANDOFF.md
@@ -113,7 +113,7 @@ packer build infra/packer/golden-image.pkr.hcl
 
 **7. Fleet:** `./run dist:up 1 s-8vcpu-16gb-amd` → `./run dist:test` → `./run dist:down`.
 
-**8. DNS shortcut:** `forge:dns` writes `<ip> ctforge` to `/etc/hosts` (sudo) → browse `http://ctforge:3000`.
+**8. DNS / DX shortcut:** after `forge:up`, `net sync` (or `./run forge:dns` inside the project) installs the managed `ctforge` (and `mcforge`) entry via the net-tools infra installer (forge-dns-render). Browse `http://ctforge:3000`. The shortcuts are adopted into a marked block and survive `net sync` re-runs.
 
 **9. One-shot bring-up (human-run):** after forge + key registration + golden image, use `scripts/cloud-bringup.sh` (or run the steps by hand). It does packer + dist:up 1 + dist:typecheck + auto teardown on exit. Launch with nohup ... & and review the log.
 
diff --git a/run b/run
index 01bfb99..f838fbc 100755
--- a/run
+++ b/run
@@ -46,7 +46,7 @@ usage() {
     echo "  forge                    Show forge:* help (auto key ID lookup)"
     echo "  forge:up                 Bring up (or restore from snapshot) the cocotte-forge droplet; refreshes ~/.vault/cocotte_forge_creds"
     echo "  forge:down               Snapshot + destroy (idle ~$0.30/mo)"
-    echo "  forge:dns [name]         Add/update /etc/hosts entry (default: ctforge)"
+    echo "  forge:dns [name]         Ensure DX /etc/hosts shortcut (ctforge) via net-tools infra (or local); default ctforge"
     echo "  dist                     Show dist:* help"
     echo "  dist:check               Offline terraform fmt/validate/test (mocked, zero cost)"
     echo "  dist:up <N> [size] [region]   Spin N workers from golden image"
diff --git a/scripts/run/forge.sh b/scripts/run/forge.sh
index b113e3e..c29255f 100755
--- a/scripts/run/forge.sh
+++ b/scripts/run/forge.sh
@@ -73,18 +73,26 @@ Forgejo origin lifecycle (DigitalOcean). Needs ~/.vault/do_pat_cocotte + the coc
   (We just generated ~/.ssh/id_cocotte_fleet + .pub — add the .pub to your DO account as 'cocotte-fleet' if not done.)
   ./run forge:down   stop + snapshot + destroy  (~$6/mo -> ~$0.30/mo idle)
   ./run forge:up     restore from newest snapshot, refresh vault creds (auto-looks up key ID)
-  ./run forge:dns    point the 'ctforge' hostname at the current forge IP (sudo; macOS /etc/hosts)
+  ./run forge:dns    ensure 'ctforge' /etc/hosts shortcut (now via net-tools DX infra + net sync; fallback local)
 EOF
 }
 
 cmd_forge_dns() {
-  # Map a friendly hostname to the current forge IP in /etc/hosts (macOS).
-  # Re-run after forge:up (the IP changes). Browse the forge at http://ctforge:3000.
+  # Map a friendly hostname (ctforge) to the current forge IP in /etc/hosts.
+  # This is now part of the shared net-tools DX infra installers:
+  #   - `net sync` (or net-tools/bin/forge-dns-render --install) owns the managed block
+  #   - Per-project ./run forge:dns prefers the central renderer when present (fallback below).
+  # Re-run (or `net sync`) after ./run forge:up (the droplet IP rotates).
   local name="${1:-ctforge}" ip
   ip="$(grep -E '^FORGE_IP=' "$_VAULT_CREDS" 2>/dev/null | cut -d= -f2)"
   [ -n "$ip" ] || { echo "no FORGE_IP in $_VAULT_CREDS" >&2; return 1; }
-  sudo sh -c "sed -i '' '/[[:space:]]${name}\$/d' /etc/hosts 2>/dev/null; printf '%s\t%s\n' '$ip' '$name' >> /etc/hosts"
-  echo "/etc/hosts: $name -> $ip   →  http://$name:3000"
+  if command -v forge-dns-render >/dev/null 2>&1; then
+    sudo forge-dns-render --install || echo "(central forge-dns-render had issues; local edit may still have run)" >&2
+  else
+    # Fallback for machines without net-tools DX layer installed yet.
+    sudo sh -c "sed -i '' '/[[:space:]]${name}\$/d' /etc/hosts 2>/dev/null; printf '%s\t%s\n' '$ip' '$name' >> /etc/hosts"
+  fi
+  echo "/etc/hosts: $name -> $ip   →  http://$name:3000  (also via 'net sync')"
 }
 
 cmd_forge_down() {