diff --git a/tailnet/controllers.go b/tailnet/controllers.go
index e0a57660624e2..832baf09cddf5 100644
--- a/tailnet/controllers.go
+++ b/tailnet/controllers.go
@@ -883,23 +883,30 @@ type Workspace struct {
 }
 
 // updateDNSNames updates the DNS names for all agents in the workspace.
+// DNS hosts must be all lowercase, or the resolver won't be able to find them.
+// Usernames are globally unique & case-insensitive.
+// Workspace names are unique per-user & case-insensitive.
+// Agent names are unique per-workspace & case-insensitive.
 func (w *Workspace) updateDNSNames() error {
+	wsName := strings.ToLower(w.Name)
+	username := strings.ToLower(w.ownerUsername)
 	for id, a := range w.agents {
+		agentName := strings.ToLower(a.Name)
 		names := make(map[dnsname.FQDN][]netip.Addr)
 		// TODO: technically, DNS labels cannot start with numbers, but the rules are often not
 		//       strictly enforced.
-		fqdn, err := dnsname.ToFQDN(fmt.Sprintf("%s.%s.me.coder.", a.Name, w.Name))
+		fqdn, err := dnsname.ToFQDN(fmt.Sprintf("%s.%s.me.coder.", agentName, wsName))
 		if err != nil {
 			return err
 		}
 		names[fqdn] = []netip.Addr{CoderServicePrefix.AddrFromUUID(a.ID)}
-		fqdn, err = dnsname.ToFQDN(fmt.Sprintf("%s.%s.%s.coder.", a.Name, w.Name, w.ownerUsername))
+		fqdn, err = dnsname.ToFQDN(fmt.Sprintf("%s.%s.%s.coder.", agentName, wsName, username))
 		if err != nil {
 			return err
 		}
 		names[fqdn] = []netip.Addr{CoderServicePrefix.AddrFromUUID(a.ID)}
 		if len(w.agents) == 1 {
-			fqdn, err := dnsname.ToFQDN(fmt.Sprintf("%s.coder.", w.Name))
+			fqdn, err := dnsname.ToFQDN(fmt.Sprintf("%s.coder.", wsName))
 			if err != nil {
 				return err
 			}