diff --git a/client/internal/dns/server.go b/client/internal/dns/server.go
index afaf0579f..94945b55a 100644
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -80,6 +80,7 @@ type DefaultServer struct {
 	updateSerial       uint64
 	previousConfigHash uint64
 	currentConfig      HostDNSConfig
+	currentConfigHash  uint64
 	handlerChain       *HandlerChain
 	extraDomains       map[domain.Domain]int
 
@@ -207,6 +208,7 @@ func newDefaultServer(
 		hostsDNSHolder:    newHostsDNSHolder(),
 		hostManager:       &noopHostConfigurator{},
 		mgmtCacheResolver: mgmtCacheResolver,
+		currentConfigHash: ^uint64(0), // Initialize to max uint64 to ensure first config is always applied
 	}
 
 	// register with root zone, handler chain takes care of the routing
@@ -586,8 +588,29 @@ func (s *DefaultServer) applyHostConfig() {
 
 	log.Debugf("extra match domains: %v", maps.Keys(s.extraDomains))
 
+	hash, err := hashstructure.Hash(config, hashstructure.FormatV2, &hashstructure.HashOptions{
+		ZeroNil:         true,
+		IgnoreZeroValue: true,
+		SlicesAsSets:    true,
+		UseStringer:     true,
+	})
+	if err != nil {
+		log.Warnf("unable to hash the host dns configuration, will apply config anyway: %s", err)
+		// Fall through to apply config anyway (fail-safe approach)
+	} else if s.currentConfigHash == hash {
+		log.Debugf("not applying host config as there are no changes")
+		return
+	}
+
+	log.Debugf("applying host config as there are changes")
 	if err := s.hostManager.applyDNSConfig(config, s.stateManager); err != nil {
 		log.Errorf("failed to apply DNS host manager update: %v", err)
+		return
+	}
+
+	// Only update hash if it was computed successfully and config was applied
+	if err == nil {
+		s.currentConfigHash = hash
 	}
 
 	s.registerFallback(config)
diff --git a/client/internal/dns/server_test.go b/client/internal/dns/server_test.go
index d12070128..fe1f67f66 100644
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -1602,7 +1602,10 @@ func TestExtraDomains(t *testing.T) {
 				"other.example.com.",
 				"duplicate.example.com.",
 			},
-			applyHostConfigCall: 4,
+			// Expect 3 calls instead of 4 because when deregistering duplicate.example.com,
+			// the domain remains in the config (ref count goes from 2 to 1), so the host
+			// config hash doesn't change and applyDNSConfig is not called.
+			applyHostConfigCall: 3,
 		},
 		{
 			name: "Config update with new domains after registration",
@@ -1657,7 +1660,10 @@ func TestExtraDomains(t *testing.T) {
 			expectedMatchOnly: []string{
 				"extra.example.com.",
 			},
-			applyHostConfigCall: 3,
+			// Expect 2 calls instead of 3 because when deregistering protected.example.com,
+			// it's removed from extraDomains but still remains in the config (from customZones),
+			// so the host config hash doesn't change and applyDNSConfig is not called.
+			applyHostConfigCall: 2,
 		},
 		{
 			name: "Register domain that is part of nameserver group",