diff --git a/docker-compose.yml b/docker-compose.yml
index 13dc2b6..a635d5a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -60,8 +60,14 @@ services:
       # (ACME registration private key) is sibling to /caddy and is NOT
       # exposed to CoreDNS — only /caddy is mounted.
       - ./caddy-data/caddy:/etc/coredns/certs:ro
+    # CoreDNS's official image is distroless (no shell, no wget/curl), so
+    # the conventional `wget /health` healthcheck silently fails forever
+    # and Docker reports the container as unhealthy. The coredns binary
+    # itself supports a version flag, which exits 0 only if the binary
+    # is runnable — a thin but honest liveness probe. For deeper checks,
+    # query :8081/health from outside the container (curl from the host).
     healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:8080/health"]
+      test: ["CMD", "/coredns", "-version"]
       interval: 30s
       timeout: 5s
       retries: 3