diff --git a/image-recipe/build-auto-installer-iso.sh b/image-recipe/build-auto-installer-iso.sh
index de4d7d8e..74e45b3d 100755
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@@ -833,6 +833,15 @@ mkdir -p "$ARCH_DIR"
 mkdir -p "$ARCH_DIR/bin"
 mkdir -p "$ARCH_DIR/scripts"
 
+# Embed netavark + aardvark-dns for container DNS (podman CNI lacks DNS)
+if [ -f /usr/lib/podman/netavark ] && [ -f /usr/lib/podman/aardvark-dns ]; then
+    cp /usr/lib/podman/netavark "$ARCH_DIR/bin/netavark"
+    cp /usr/lib/podman/aardvark-dns "$ARCH_DIR/bin/aardvark-dns"
+    echo "   Embedded netavark + aardvark-dns in ISO"
+else
+    echo "   WARNING: netavark/aardvark-dns not found — install with: apt install aardvark-dns netavark"
+fi
+
 # Copy the pre-built rootfs
 echo "   Including root filesystem..."
 cp "$ROOTFS_TAR" "$ARCH_DIR/rootfs.tar"
@@ -1788,10 +1797,11 @@ chown -R 1000:1000 /mnt/target/home/archipelago/.config
 
 # Install netavark + aardvark-dns for container DNS resolution on archy-net.
 # Debian 12's podman defaults to CNI which lacks DNS. Netavark provides built-in DNS.
-if [ -f /usr/lib/podman/netavark ] && [ -f /usr/lib/podman/aardvark-dns ]; then
+# Binaries are embedded in the ISO at build time (archipelago/bin/).
+if [ -f "$BOOT_MEDIA/archipelago/bin/netavark" ] && [ -f "$BOOT_MEDIA/archipelago/bin/aardvark-dns" ]; then
     mkdir -p /mnt/target/usr/lib/podman
-    cp /usr/lib/podman/netavark /mnt/target/usr/lib/podman/netavark
-    cp /usr/lib/podman/aardvark-dns /mnt/target/usr/lib/podman/aardvark-dns
+    cp "$BOOT_MEDIA/archipelago/bin/netavark" /mnt/target/usr/lib/podman/netavark
+    cp "$BOOT_MEDIA/archipelago/bin/aardvark-dns" /mnt/target/usr/lib/podman/aardvark-dns
     chmod +x /mnt/target/usr/lib/podman/netavark /mnt/target/usr/lib/podman/aardvark-dns
     # Configure podman to use netavark backend (enables container DNS)
     mkdir -p /mnt/target/home/archipelago/.config/containers
@@ -1802,8 +1812,7 @@ CONTAINERSCONF
     chown -R 1000:1000 /mnt/target/home/archipelago/.config/containers
     echo "   Installed netavark + aardvark-dns (container DNS enabled)"
 else
-    echo "   WARNING: netavark/aardvark-dns not found on build host — container DNS will not work"
-    echo "   Install with: apt install aardvark-dns netavark"
+    echo "   WARNING: netavark/aardvark-dns not found in ISO — container DNS will not work"
 fi
 
 # Laptop support: ignore lid close so server keeps running