diff --git a/linux/build/scripts/build.sh b/linux/build/scripts/build.sh
index df6a63a..0d4b3ec 100755
--- a/linux/build/scripts/build.sh
+++ b/linux/build/scripts/build.sh
@@ -28,11 +28,11 @@ cd "${REPO_ROOT}"
 # Bumped together with linux/build/docker/Dockerfile.builder. The digest form
 # is required; refusing the tag-only form is what stops a silent host drift.
 #
-# Default points at the internal registry hostname used by CI runners. The
-# external endpoint (docker-registry.silverlabs.uk) serves the same registry
-# and the same content-addressed digest, so external dev can override with:
-#   BUILDER_IMAGE=docker-registry.silverlabs.uk/silvermetal-builder@sha256:cedef039425e0b0f5901c1023eda820c7aa38ab4b81c2bb1e12d64cadb3d6c85
-BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry:5000/silvermetal-builder@sha256:cedef039425e0b0f5901c1023eda820c7aa38ab4b81c2bb1e12d64cadb3d6c85}"
+# docker-registry.silverlabs.uk is the canonical hostname both inside and
+# outside the LAN — it's the entry that fleet-wide /etc/docker/daemon.json
+# registers as an insecure-registry. The host-style "docker-registry:5000"
+# is *not* DNS-resolvable; do not use it.
+BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:9e7161f9f180483f434074d7f32c27c907955232bd0c44efe6dc0ee1d9e56ae0}"
 
 if [[ "${BUILDER_IMAGE}" != *"@sha256:"* ]]; then
     echo "build.sh: BUILDER_IMAGE must be pinned by digest, got: ${BUILDER_IMAGE}" >&2