diff --git a/jkctl b/jkctl
index b5bc1b3..b0bc096 100755
--- a/jkctl
+++ b/jkctl
@@ -70,6 +70,13 @@ class Jkctl
     ns_file = File.join(manifest_dir, "namespace.yaml")
     execute("kubectl apply -f #{ns_file}")
 
+    # Special handling for external-dns (Kustomize)
+    if scope == 'infra'
+      env_dir = @options[:env] == 'stg' ? 'staging' : 'production'
+      ext_dns_dir = File.join(@repo_root, 'video-iac', 'k8s', 'external-dns', 'overlays', env_dir)
+      execute("kubectl apply -k #{ext_dns_dir}")
+    end
+
     # Apply all yaml files in the directory (except namespace which we just did)
     Dir.glob(File.join(manifest_dir, "*.yaml")).each do |file|
       next if file.end_index?("namespace.yaml")
diff --git a/k8s/external-dns/overlays/staging/configuration.yaml b/k8s/external-dns/overlays/staging/configuration.yaml
index ef041c7..bda8437 100644
--- a/k8s/external-dns/overlays/staging/configuration.yaml
+++ b/k8s/external-dns/overlays/staging/configuration.yaml
@@ -12,6 +12,7 @@
     - --provider=aws
     - --registry=txt
     - --source=ingress
+    - --source=service
     - --txt-prefix=staging_ # Random string for hardener TXT entries
 - op: replace
   path: /spec/template/spec/containers/0/env
diff --git a/k8s/external-dns/overlays/staging/kustomization.yaml b/k8s/external-dns/overlays/staging/kustomization.yaml
index 635f9d0..9c8c6b5 100644
--- a/k8s/external-dns/overlays/staging/kustomization.yaml
+++ b/k8s/external-dns/overlays/staging/kustomization.yaml
@@ -3,22 +3,45 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: external-dns
 
-bases:
-- ../../base
+resources:
+  - ../../base
 
-patchesJson6902:
-  - path: configuration.yaml
-    target:
+patches:
+  - target:
       group: apps
       version: v1
       kind: Deployment
       name: external-dns
-
-patches:
-  - target:
-      kind: Deployment
     patch: |-
+      - op: replace
+        path: /spec/template/spec/containers/0/args
+        value:
+          - --aws-api-retries=3
+          - --domain-filter=jamkazam.com
+          - --interval=1m
+          - --log-format=text
+          - --log-level=warning
+          - --no-aws-evaluate-target-health
+          - --policy=sync
+          - --provider=aws
+          - --registry=txt
+          - --source=ingress
+          - --source=service
+          - --txt-prefix=staging_
+      - op: replace
+        path: /spec/template/spec/containers/0/env
+        value:
+          - name: AWS_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: aws-user-external-dns
+                key: username
+          - name: AWS_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: aws-user-external-dns
+                key: password
       - op: add
         path: /spec/template/spec/nodeSelector
         value:
-          workload: infra
\ No newline at end of file
+          workload: infra
diff --git a/k8s/jam-cloud-infra/network-policy.yaml b/k8s/jam-cloud-infra/network-policy.yaml
new file mode 100644
index 0000000..bfb82d7
--- /dev/null
+++ b/k8s/jam-cloud-infra/network-policy.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-infra-from-authorized-ips
+  namespace: jam-cloud-infra
+spec:
+  podSelector: {} # apply to all pods in jam-cloud-infra
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 72.14.184.26/32
+    - ipBlock:
+        cidr: 173.255.192.5/32
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: jam-cloud # allow apps in jam-cloud to talk to infra
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: ingress-nginx # allow ingress controller to reach infra
+  - ports: # Optional: Keep management UI reachable from everywhere? Or also restrict? 
+    - protocol: TCP
+      port: 15672
diff --git a/k8s/jam-cloud-infra/postgres.yaml b/k8s/jam-cloud-infra/postgres.yaml
new file mode 100644
index 0000000..6ea8369
--- /dev/null
+++ b/k8s/jam-cloud-infra/postgres.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: db
+  namespace: jam-cloud-infra
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: db.staging.video.jamkazam.com
+spec:
+  ports:
+    - protocol: TCP
+      port: 5432
+      targetPort: 5432
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: db
+  namespace: jam-cloud-infra
+subsets:
+  - addresses:
+      - ip: 72.14.176.182
+    ports:
+      - port: 5432
diff --git a/k8s/jam-cloud-infra/rabbitmq.yaml b/k8s/jam-cloud-infra/rabbitmq.yaml
index 4a09e3e..3425635 100644
--- a/k8s/jam-cloud-infra/rabbitmq.yaml
+++ b/k8s/jam-cloud-infra/rabbitmq.yaml
@@ -41,8 +41,11 @@ metadata:
   namespace: jam-cloud-infra
   annotations:
     external-dns.alpha.kubernetes.io/hostname: rabbitmq.staging.video.jamkazam.com
+    external-dns.alpha.kubernetes.io/target: 45.79.62.230
+    service.beta.kubernetes.io/linode-loadbalancer-throttle: "4"
 spec:
   type: LoadBalancer
+  externalTrafficPolicy: Cluster
   loadBalancerSourceRanges:
   - 72.14.184.26/32
   - 173.255.192.5/32
diff --git a/k8s/jam-cloud-infra/redis.yaml b/k8s/jam-cloud-infra/redis.yaml
index 58fc573..9383e9c 100644
--- a/k8s/jam-cloud-infra/redis.yaml
+++ b/k8s/jam-cloud-infra/redis.yaml
@@ -33,8 +33,11 @@ metadata:
   namespace: jam-cloud-infra
   annotations:
     external-dns.alpha.kubernetes.io/hostname: redis.staging.video.jamkazam.com
+    external-dns.alpha.kubernetes.io/target: 45.79.63.240
+    service.beta.kubernetes.io/linode-loadbalancer-throttle: "4"
 spec:
   type: LoadBalancer
+  externalTrafficPolicy: Cluster
   loadBalancerSourceRanges:
   - 72.14.184.26/32
   - 173.255.192.5/32