diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml
index c79813f..8c9b11d 100644
--- a/group_vars/dnagw.yml
+++ b/group_vars/dnagw.yml
@@ -3,6 +3,7 @@
 mem_size: 512
 
 intnet: "{{ network_interfaces[0].ipaddr + '/' + network_interfaces[0].netmask }}"
+intdomain: "{{ inventory_hostname.split('.')[1:] | join('.') }}"
 
 network_vip_interfaces:
   - device: vio0
@@ -43,7 +44,7 @@ unbound_zones:
     {% else -%}
     {{ reverse[:-1] | split('.', 1) | last -}}
     {% endif -%}
-  - "{{ inventory_hostname.split('.')[1:] | join('.') }}"
+  - "{{ intdomain }}"
 
 # use custom firewall config
 firewall_src: pf.conf.gw_dna.j2
diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml
index 38245f0..c5a3196 100644
--- a/playbooks/dna-gw.yml
+++ b/playbooks/dna-gw.yml
@@ -42,26 +42,26 @@
 
     - name: Copy DNS private key
       ansible.builtin.copy:
-        dest: "{{ tls_private }}/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh.key"
+        dest: "{{ tls_private }}/dns.{{ intdomain }}.key"
         src: "{{ item }}"
         mode: "0600"
         owner: root
         group: "{{ ansible_wheel }}"
       with_first_found:
-        - "/srv/letsencrypt/live/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh/privkey.pem"
+        - "/srv/letsencrypt/live/dns.{{ intdomain }}/privkey.pem"
         - "/srv/ca/private/{{ inventory_hostname }}.key"
       tags: certificates
       notify: Restart unbound
 
     - name: Copy DNS certificate and ca cert
       ansible.builtin.copy:
-        dest: "{{ tls_certs }}/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh.crt"
+        dest: "{{ tls_certs }}/dns.{{ intdomain }}.crt"
         src: "{{ item }}"
         mode: "0644"
         owner: root
         group: "{{ ansible_wheel }}"
       with_first_found:
-        - "/srv/letsencrypt/live/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh/fullchain.pem"
+        - "/srv/letsencrypt/live/dns.{{ intdomain }}/fullchain.pem"
         - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
       tags: certificates
       notify: Restart unbound
diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2
index 45dd165..ea77174 100644
--- a/roles/dhcpd/templates/dhcpd.conf.j2
+++ b/roles/dhcpd/templates/dhcpd.conf.j2
@@ -42,7 +42,7 @@ subnet {{ intnet | ansible.utils.ipaddr('network') }} netmask {{ intnet | ansibl
     option broadcast-address {{ intnet | ansible.utils.ipaddr('broadcast') }};
     option routers {{ intnet | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address')}};
 
-    option domain-name "{{ inventory_hostname.split('.')[1] }}.foo.sh";
+    option domain-name "{{ intdomain }}";
     option domain-name-servers {{ intnet | ansible.utils.ipaddr(10) | ansible.utils.ipaddr('address') }}, {{ intnet | ansible.utils.ipaddr(11) | ansible.utils.ipaddr('address') }}, {{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }};
     use-host-decl-names on;
 }
diff --git a/roles/unbound/templates/unbound.conf.dna.j2 b/roles/unbound/templates/unbound.conf.dna.j2
index 7d49662..75ce886 100644
--- a/roles/unbound/templates/unbound.conf.dna.j2
+++ b/roles/unbound/templates/unbound.conf.dna.j2
@@ -15,8 +15,8 @@ server:
     interface: {{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }}@53
     interface: {{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }}@853
 
-    tls-service-key: {{ tls_private }}/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh.key
-    tls-service-pem: {{ tls_certs }}/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh.crt
+    tls-service-key: {{ tls_private }}/dns.{{ intdomain }}.key
+    tls-service-pem: {{ tls_certs }}/dns.{{ intdomain }}.crt
     tls-cert-bundle: {{ tls_bundle }}
 
     access-control: 127.0.0.0/8 allow