diff --git a/docs/usage/configuration-options.md b/docs/usage/configuration-options.md
index 9b8baa781c11c451fac7a0300800a29e5b3ee757..dd672c19b9331611be3b57c380d94b2c77eed17f 100644
--- a/docs/usage/configuration-options.md
+++ b/docs/usage/configuration-options.md
@@ -1024,6 +1024,8 @@ Example:
 This can be a base URL (e.g. `https://api.github.com`) or a hostname like `github.com` or `api.github.com`.
 If the value starts with `http(s)` then it will only match against URLs which start with the full base URL.
 Otherwise, it will be matched by checking if the URL's hostname matches the `matchHost` directly or ends with it.
+When checking the end of the hostname, a single dot is prefixed to the value of `matchHost`, if one is not
+already present, to ensure it can only match against whole domain segments.
 
 ### timeout
 
diff --git a/lib/util/host-rules.spec.ts b/lib/util/host-rules.spec.ts
index 1e01f83c89c94873ea6aacec10a7f2ada6c7efb3..7bc63e902dde7dfa351e3e83787d2f5ced274a3c 100644
--- a/lib/util/host-rules.spec.ts
+++ b/lib/util/host-rules.spec.ts
@@ -208,6 +208,15 @@ describe('util/host-rules', () => {
       expect(find({ url: 'https://domain.com' }).token).toEqual('def');
       expect(find({ url: 'httpsdomain.com' }).token).toBeUndefined();
     });
+    it('matches on matchHost with dot prefix', () => {
+      add({
+        matchHost: '.domain.com',
+        token: 'def',
+      });
+      expect(find({ url: 'https://api.domain.com' }).token).toEqual('def');
+      expect(find({ url: 'https://domain.com' }).token).toBeUndefined();
+      expect(find({ url: 'httpsdomain.com' }).token).toBeUndefined();
+    });
     it('matches on hostType and endpoint', () => {
       add({
         hostType: datasourceNuget.id,
diff --git a/lib/util/host-rules.ts b/lib/util/host-rules.ts
index d9c18f536b38555770274b241b96f53837e65057..c6887c5a0ea62bda44efa6162790262ba23af981 100644
--- a/lib/util/host-rules.ts
+++ b/lib/util/host-rules.ts
@@ -85,7 +85,10 @@ function matchesHost(rule: HostRule, search: HostRuleSearch): boolean {
     return false;
   }
   const { hostname } = parsedUrl;
-  return hostname === rule.matchHost || hostname.endsWith(`.${rule.matchHost}`);
+  const dotPrefixedMatchHost = rule.matchHost.startsWith('.')
+    ? rule.matchHost
+    : `.${rule.matchHost}`;
+  return hostname === rule.matchHost || hostname.endsWith(dotPrefixedMatchHost);
 }
 
 export function find(search: HostRuleSearch): HostRule {