@ignoramous Thanks for your reply with the excellent pointers. I was not aware of Distroless Containers yet. But I will try them on Fly, first together with the minimal example Reflect from Miek Gieben’s Go DNS library.
Then Miek’s CoreDNS will be the next step using this excellent Howto Guide Authoritative DNS on Fly which I found in the the thread Request for guide: Authoritative nameservers with CoreDNS.
In the past, MirageOS devs had mentioned the idea of targeting Firecracker VMs as well, once they are done with Solo5. The latter has been achieved on OpenBSD some two or three years ago. So maybe it is worthwhile to followup with them about Firecracker, and other ways to target Fly.