diff --git a/CHANGELOG.md b/CHANGELOG.md
index 61b7575e5..3f01a29e6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,9 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 * Correctly detect failed version checker Pods
 * retry cluster status updates, reducing test flakes
 
+## Changed
+* Cluster domain for cert generation is now autodetected by running a DNS query
+
 # [v2.7.0](https://github.com/cockroachdb/cockroach-operator/compare/v2.6.0...v2.7.0)
 
 ## Fixed
diff --git a/pkg/resource/BUILD.bazel b/pkg/resource/BUILD.bazel
index 34d3b85e1..8be640052 100644
--- a/pkg/resource/BUILD.bazel
+++ b/pkg/resource/BUILD.bazel
@@ -28,6 +28,7 @@ go_library(
         "//pkg/labels:go_default_library",
         "//pkg/ptr:go_default_library",
         "//pkg/security:go_default_library",
+        "//pkg/util:go_default_library",
         "//pkg/utilfeature:go_default_library",
         "@com_github_cockroachdb_errors//:go_default_library",
         "@com_github_go_logr_logr//:go_default_library",
diff --git a/pkg/resource/cluster.go b/pkg/resource/cluster.go
index 8a5f6c263..5587319e1 100644
--- a/pkg/resource/cluster.go
+++ b/pkg/resource/cluster.go
@@ -26,6 +26,7 @@ import (
 	api "github.com/cockroachdb/cockroach-operator/apis/v1alpha1"
 	"github.com/cockroachdb/cockroach-operator/pkg/clusterstatus"
 	"github.com/cockroachdb/cockroach-operator/pkg/condition"
+	"github.com/cockroachdb/cockroach-operator/pkg/util"
 	"github.com/cockroachdb/errors"
 	"github.com/gosimple/slug"
 	corev1 "k8s.io/api/core/v1"
@@ -199,7 +200,7 @@ func (cluster Cluster) LookupSupportedVersion(version string) (string, bool) {
 	return "", false
 }
 
-//GetVersionAnnotation  gets the current version of the cluster  retrieved by version checker action
+// GetVersionAnnotation  gets the current version of the cluster  retrieved by version checker action
 func (cluster Cluster) GetVersionAnnotation() string {
 	return cluster.getAnnotation(CrdbVersionAnnotation)
 }
@@ -270,7 +271,7 @@ func (cluster Cluster) GetCockroachDBImageName() string {
 		}
 		return NotSupportedVersion
 	}
-	//we validate the version after the job runs with exec
+	// we validate the version after the job runs with exec
 	return cluster.Spec().Image.Name
 }
 
@@ -308,7 +309,7 @@ func (cluster Cluster) CASecretName() string {
 }
 
 func (cluster Cluster) Domain() string {
-	return "svc.cluster.local"
+	return fmt.Sprintf("svc.%s", util.GetClusterDomain())
 }
 
 func (cluster Cluster) SecureMode() string {
diff --git a/pkg/resource/webhook_certificates.go b/pkg/resource/webhook_certificates.go
index af4bceaa4..a6382a8d6 100644
--- a/pkg/resource/webhook_certificates.go
+++ b/pkg/resource/webhook_certificates.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 
 	"github.com/cockroachdb/cockroach-operator/pkg/security"
+	"github.com/cockroachdb/cockroach-operator/pkg/util"
 	"github.com/cockroachdb/errors"
 	"github.com/go-logr/logr"
 	"go.uber.org/zap/zapcore"
@@ -97,7 +98,7 @@ func CreateWebhookCertificate(ctx context.Context, api SecretsInterface, ns stri
 		webhookService,
 		fmt.Sprintf("%s.%s", webhookService, ns),
 		fmt.Sprintf("%s.%s.svc", webhookService, ns),
-		fmt.Sprintf("%s.%s.svc.cluster.local", webhookService, ns),
+		fmt.Sprintf("%s.%s.svc.%s", webhookService, ns, util.GetClusterDomain()),
 	))
 
 	if err != nil {
diff --git a/pkg/util/BUILD.bazel b/pkg/util/BUILD.bazel
index bd83dbd8a..236df7fe8 100644
--- a/pkg/util/BUILD.bazel
+++ b/pkg/util/BUILD.bazel
@@ -4,6 +4,7 @@ go_library(
     name = "go_default_library",
     srcs = [
         "api_kind_checker.go",
+        "cluster_domain.go",
         "tmp_dir.go",
     ],
     importpath = "github.com/cockroachdb/cockroach-operator/pkg/util",
diff --git a/pkg/util/cluster_domain.go b/pkg/util/cluster_domain.go
new file mode 100644
index 000000000..c8ed6b641
--- /dev/null
+++ b/pkg/util/cluster_domain.go
@@ -0,0 +1,49 @@
+/*
+Copyright 2022 The Cockroach Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"context"
+	"net"
+	"sync"
+	"time"
+)
+
+var (
+	once          = &sync.Once{}
+	clusterDomain = "cluster.local"
+)
+
+// GetClusterDomain returns the cluster domain of the k8s cluster.
+// It is auto-detected by lazily running a DNS query.
+// It defaults to "cluster.local" if we cannot determine the domain.
+func GetClusterDomain() string {
+	once.Do(func() {
+		// We try to lookup a non-FQDN that *should* always exist in the
+		// k8s's domain.
+		// Reference: https://stackoverflow.com/a/59162874
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+
+		const host = "kubernetes.default.svc"
+		cname, err := net.DefaultResolver.LookupCNAME(ctx, host)
+		if err == nil {
+			clusterDomain = cname[len(host)+1 : len(cname)-1]
+		}
+	})
+	return clusterDomain
+}