diff --git a/lxc1/p1-ingress/technitium.yml b/lxc1/p1-ingress/technitium.yml
index 1282275..ae54b41 100644
--- a/lxc1/p1-ingress/technitium.yml
+++ b/lxc1/p1-ingress/technitium.yml
@@ -20,12 +20,22 @@ services:
     labels:
       - "traefik.enable=${DNS_TRAEFIK_ENABLED}"
       - "traefik.docker.network=dns_external"
-      # Dynamic Router Name (dns1 vs dns2)
-      - "traefik.http.routers.dns${DNS_NODE_ID}.rule=Host(`dns${DNS_NODE_ID}.${TRAEFIK_DNS_SUFFIX}`)"
-      - "traefik.http.routers.dns${DNS_NODE_ID}.entrypoints=${TRAEFIK_ENTRY_POINTS}"
-      - "traefik.http.routers.dns${DNS_NODE_ID}.tls.certresolver=${TRAEFIK_RESOLVER}"
-      - "traefik.http.services.dns${DNS_NODE_ID}.loadbalancer.server.port=${DNS_TRAEFIK_PORT}"
-
+      # --- SHARED HA ROUTER ---
+      # The router NAME must be unique, so we add the ID here too
+      - "traefik.http.routers.dns-shared-${DNS_NODE_ID}.rule=Host(`dns.${TRAEFIK_DNS_SUFFIX}`)"
+      - "traefik.http.routers.dns-shared-${DNS_NODE_ID}.entrypoints=${TRAEFIK_ENTRY_POINTS}"
+      - "traefik.http.routers.dns-shared-${DNS_NODE_ID}.tls.certresolver=${TRAEFIK_RESOLVER}"
+      # Both point to the SAME service name to enable load balancing
+      - "traefik.http.routers.dns-shared-${DNS_NODE_ID}.service=dns-common-service"
+      # --- NODE-SPECIFIC ADMIN ROUTER ---
+      # Unique router name and unique Host rule
+      - "traefik.http.routers.dns-admin-${DNS_NODE_ID}.rule=Host(`dns${DNS_NODE_ID}.${TRAEFIK_DNS_SUFFIX}`)"
+      - "traefik.http.routers.dns-admin-${DNS_NODE_ID}.entrypoints=${TRAEFIK_ENTRY_POINTS}"
+      - "traefik.http.routers.dns-admin-${DNS_NODE_ID}.tls.certresolver=${TRAEFIK_RESOLVER}"
+      - "traefik.http.routers.dns-admin-${DNS_NODE_ID}.service=dns-common-service"
+      # --- THE SHARED SERVICE ---
+      # This name MUST be identical on Node 1 and Node 2
+      - "traefik.http.services.dns-common-service.loadbalancer.server.port=${DNS_TRAEFIK_PORT}"
 networks:
   dns_external:
     driver: bridge