diff --git a/api/v1alpha1/tenantcontrolplane_types.go b/api/v1alpha1/tenantcontrolplane_types.go
index 627d937e..8d4da133 100644
--- a/api/v1alpha1/tenantcontrolplane_types.go
+++ b/api/v1alpha1/tenantcontrolplane_types.go
@@ -36,13 +36,16 @@ type NetworkProfileSpec struct {
 	// CertSANs sets extra Subject Alternative Names (SANs) for the API Server signing certificate.
 	// Use this field to add additional hostnames when exposing the Tenant Control Plane with third solutions.
 	CertSANs []string `json:"certSANs,omitempty"`
-	// Kubernetes Service
+	// CIDR for Kubernetes Services: if empty, defaulted to 10.96.0.0/16.
 	//+kubebuilder:default="10.96.0.0/16"
 	ServiceCIDR string `json:"serviceCidr,omitempty"`
-	// CIDR for Kubernetes Pods
+	// CIDR for Kubernetes Pods: if empty, defaulted to 10.244.0.0/16.
 	//+kubebuilder:default="10.244.0.0/16"
 	PodCIDR string `json:"podCidr,omitempty"`
-	//+kubebuilder:default={"10.96.0.10"}
+	// The DNS Service for internal resolution, it must match the Service CIDR.
+	// In case of an empty value, it is automatically computed according to the Service CIDR, e.g.:
+	// Service CIDR 10.96.0.0/16, the resulting DNS Service IP will be 10.96.0.10 for IPv4,
+	// for IPv6 from the CIDR 2001:db8:abcd::/64 the resulting DNS Service IP will be 2001:db8:abcd::10.
 	DNSServiceIPs []string `json:"dnsServiceIPs,omitempty"`
 }
 
diff --git a/charts/kamaji/crds/kamaji.clastix.io_tenantcontrolplanes.yaml b/charts/kamaji/crds/kamaji.clastix.io_tenantcontrolplanes.yaml
index db2e8508..8de739fd 100644
--- a/charts/kamaji/crds/kamaji.clastix.io_tenantcontrolplanes.yaml
+++ b/charts/kamaji/crds/kamaji.clastix.io_tenantcontrolplanes.yaml
@@ -6558,8 +6558,11 @@ spec:
                         - message: changing the cluster domain is not supported
                           rule: self == oldSelf
                     dnsServiceIPs:
-                      default:
-                        - 10.96.0.10
+                      description: |-
+                        The DNS Service for internal resolution, it must match the Service CIDR.
+                        In case of an empty value, it is automatically computed according to the Service CIDR, e.g.:
+                        Service CIDR 10.96.0.0/16, the resulting DNS Service IP will be 10.96.0.10 for IPv4,
+                        for IPv6 from the CIDR 2001:db8:abcd::/64 the resulting DNS Service IP will be 2001:db8:abcd::10.
                       items:
                         type: string
                       type: array
@@ -6577,7 +6580,7 @@ spec:
                       type: array
                     podCidr:
                       default: 10.244.0.0/16
-                      description: CIDR for Kubernetes Pods
+                      description: 'CIDR for Kubernetes Pods: if empty, defaulted to 10.244.0.0/16.'
                       type: string
                     port:
                       default: 6443
@@ -6586,7 +6589,7 @@ spec:
                       type: integer
                     serviceCidr:
                       default: 10.96.0.0/16
-                      description: Kubernetes Service
+                      description: 'CIDR for Kubernetes Services: if empty, defaulted to 10.96.0.0/16.'
                       type: string
                   type: object
               required:
diff --git a/docs/content/reference/api.md b/docs/content/reference/api.md
index a620d476..d51d8fcb 100644
--- a/docs/content/reference/api.md
+++ b/docs/content/reference/api.md
@@ -13937,9 +13937,10 @@ Use this field to add additional hostnames when exposing the Tenant Control Plan
         <td><b>dnsServiceIPs</b></td>
         <td>[]string</td>
         <td>
-          <br/>
-          <br/>
-            <i>Default</i>: [10.96.0.10]<br/>
+          The DNS Service for internal resolution, it must match the Service CIDR.
+In case of an empty value, it is automatically computed according to the Service CIDR, e.g.:
+Service CIDR 10.96.0.0/16, the resulting DNS Service IP will be 10.96.0.10 for IPv4,
+for IPv6 from the CIDR 2001:db8:abcd::/64 the resulting DNS Service IP will be 2001:db8:abcd::10.<br/>
         </td>
         <td>false</td>
       </tr><tr>
@@ -13959,7 +13960,7 @@ Example: {"192.168.1.0/24", "10.0.0.0/8"}<br/>
         <td><b>podCidr</b></td>
         <td>string</td>
         <td>
-          CIDR for Kubernetes Pods<br/>
+          CIDR for Kubernetes Pods: if empty, defaulted to 10.244.0.0/16.<br/>
           <br/>
             <i>Default</i>: 10.244.0.0/16<br/>
         </td>
@@ -13978,7 +13979,7 @@ Example: {"192.168.1.0/24", "10.0.0.0/8"}<br/>
         <td><b>serviceCidr</b></td>
         <td>string</td>
         <td>
-          Kubernetes Service<br/>
+          CIDR for Kubernetes Services: if empty, defaulted to 10.96.0.0/16.<br/>
           <br/>
             <i>Default</i>: 10.96.0.0/16<br/>
         </td>
diff --git a/internal/webhook/handlers/tcp_defaults.go b/internal/webhook/handlers/tcp_defaults.go
index 6274d13c..18f529a6 100644
--- a/internal/webhook/handlers/tcp_defaults.go
+++ b/internal/webhook/handlers/tcp_defaults.go
@@ -6,6 +6,7 @@ package handlers
 import (
 	"context"
 	"fmt"
+	"net"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -29,6 +30,21 @@ func (t TenantControlPlaneDefaults) OnCreate(object runtime.Object) AdmissionRes
 		defaulted := original.DeepCopy()
 		t.defaultUnsetFields(defaulted)
 
+		if len(defaulted.Spec.NetworkProfile.DNSServiceIPs) == 0 {
+			ip, _, err := net.ParseCIDR(defaulted.Spec.NetworkProfile.ServiceCIDR)
+			if err != nil {
+				return nil, errors.Wrap(err, "cannot define resulting DNS Service IP")
+			}
+			switch {
+			case ip.To4() != nil:
+				ip[len(ip)-1] += 10
+			case ip.To16() != nil:
+				ip[len(ip)-1] += 16
+			}
+
+			defaulted.Spec.NetworkProfile.DNSServiceIPs = []string{ip.String()}
+		}
+
 		operations, err := utils.JSONPatch(original, defaulted)
 		if err != nil {
 			return nil, errors.Wrap(err, "cannot create patch responses upon Tenant Control Plane creation")