diff --git a/RUNBOOK.md b/RUNBOOK.md
index 89f48df..5f0b492 100644
--- a/RUNBOOK.md
+++ b/RUNBOOK.md
@@ -230,6 +230,28 @@ Symptoms: MCNS fails to start with "address already in use" on port 53.
    `[dns] listen_addr` in `mcns.toml` to a different address.
 4. Restart MCNS and verify DNS is responding.
 
+## Deployment with MCP
+
+MCNS runs on rift as a single container managed by MCP. The service
+definition lives at `~/.config/mcp/services/mcns.toml` on the operator's
+machine. A reference copy is maintained at `deploy/mcns-rift.toml` in
+this repository.
+
+The container image is pulled from MCR. The container mounts `/srv/mcns`
+and runs as `--user 0:0`. DNS listens on port 53 (UDP+TCP) on both
+192.168.88.181 and 100.95.252.120, with the management API on 8443/9443.
+
+Note: the operator's `~/.config/mcp/services/mcns.toml` may still
+reference the old CoreDNS image and needs updating to the new MCNS image.
+
+### Key Operations
+
+1. Deploy or update: `mcp deploy mcns`
+2. Restart: `mcp restart mcns`
+3. Stop: `mcp stop mcns` (WARNING: stops DNS for all internal zones)
+4. Check status: `mcp ps` or `mcp status mcns`
+5. View logs: `ssh rift 'doas su - mcp -s /bin/sh -c "podman logs mcns"'`
+
 ## Escalation
 
 Escalate when:
diff --git a/deploy/mcns-rift.toml b/deploy/mcns-rift.toml
new file mode 100644
index 0000000..edd02bb
--- /dev/null
+++ b/deploy/mcns-rift.toml
@@ -0,0 +1,17 @@
+name = "mcns"
+node = "rift"
+active = true
+
+[[components]]
+name = "dns"
+image = "mcr.svc.mcp.metacircular.net:8443/mcns:latest"
+user = "0:0"
+restart = "unless-stopped"
+ports = [
+    "192.168.88.181:53:53/tcp",
+    "192.168.88.181:53:53/udp",
+    "100.95.252.120:53:53/tcp",
+    "100.95.252.120:53:53/udp",
+]
+volumes = ["/srv/mcns:/srv/mcns"]
+cmd = ["server", "--config", "/srv/mcns/mcns.toml"]