diff --git a/docs/changelog.d/fix-fly-deploy-warnings.bugfix.md b/docs/changelog.d/fix-fly-deploy-warnings.bugfix.md
new file mode 100644
index 0000000..ec44db2
--- /dev/null
+++ b/docs/changelog.d/fix-fly-deploy-warnings.bugfix.md
@@ -0,0 +1 @@
+Fix fly-deploy WARNING by starting nginx before Tailscale, deferring upstream DNS resolution to request time.
diff --git a/fly/nginx.conf b/fly/nginx.conf
index c1f6169..135183e 100644
--- a/fly/nginx.conf
+++ b/fly/nginx.conf
@@ -32,6 +32,12 @@ http {
     proxy_cache_path /tmp/cache levels=1:2 keys_zone=services:10m
                      max_size=200m inactive=24h;
 
+    # MagicDNS resolver — using a variable in proxy_pass defers upstream DNS
+    # resolution to request time, letting nginx start before Tailscale connects.
+    # Results are cached for 30s per worker to avoid per-request DNS lookups.
+    resolver 100.100.100.100 valid=30s;
+    resolver_timeout 5s;
+
     # --- docs.eblu.me (static site) ---
     server {
         listen 8080;
@@ -40,7 +46,8 @@ http {
         limit_req zone=general burst=20 nodelay;
 
         location / {
-            proxy_pass https://docs.tail8d86e.ts.net;
+            set $upstream_docs https://docs.tail8d86e.ts.net;
+            proxy_pass $upstream_docs$request_uri;
             proxy_ssl_verify off;
             proxy_ssl_server_name on;
 
diff --git a/fly/start.sh b/fly/start.sh
index fcd9718..620dfea 100644
--- a/fly/start.sh
+++ b/fly/start.sh
@@ -1,6 +1,13 @@
 #!/bin/sh
 set -e
 
+# Start nginx immediately so port 8080 is bound before Fly's deploy checks.
+# Upstream DNS resolution is deferred via resolver + variable in nginx.conf,
+# so nginx starts cleanly even before Tailscale connects.
+nginx -g "daemon off;" &
+NGINX_PID=$!
+echo "Nginx started (waiting for Tailscale before proxying)"
+
 # Start tailscale daemon. Fly.io runs Firecracker microVMs which support
 # TUN devices natively — no need for --tun=userspace-networking.
 tailscaled --statedir=/var/lib/tailscale &
@@ -19,5 +26,5 @@ alloy run /etc/alloy/config.alloy \
     --storage.path=/tmp/alloy-data &
 echo "Alloy started"
 
-# Start nginx — MagicDNS resolves *.tail8d86e.ts.net hostnames
-nginx -g "daemon off;"
+# Block on nginx — container exits if nginx stops
+wait $NGINX_PID