diff --git a/docs/hosts.md b/docs/hosts.md
index e6c5ac855..0298c9305 100644
--- a/docs/hosts.md
+++ b/docs/hosts.md
@@ -73,6 +73,9 @@ $ tree /etc/containerd/certs.d
     └── hosts.toml
 ```
 
+Optionally the `_default` registry host namespace can be used as a fallback, if no
+other namespace matches.
+
 The `/v2` portion of the pull request format shown above refers to the version of the
 distribution api. If not included in the pull request, `/v2` is added by default for all
 clients compliant to the distribution specification linked above.
@@ -157,6 +160,21 @@ server = "https://registry-1.docker.io"    # Exclude this to not use upstream
   ca = "docker-mirror.crt"                 # Or absolute path /etc/containerd/certs.d/docker.io/docker-mirror.crt
 ```
 
+### Setup Default Mirror for All Registries
+
+```
+$ tree /etc/containerd/certs.d
+/etc/containerd/certs.d
+└── _default
+    └── hosts.toml
+
+$ cat /etc/containerd/certs.d/_default/hosts.toml
+server = "https://registry.example.com"
+
+[host."https://registry.example.com"]
+  capabilities = ["pull", "resolve"]
+```
+
 ### Bypass TLS Verification Example
 
 To bypass the TLS verification for a private registry at `192.168.31.250:5000`