diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 570748fa5..edcee0664 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -31,6 +31,7 @@ Plugin Changelog
 1.6.3
 
 * Add: Disable Propagation Timeout in DNS Provider Tab. This can help if the DNS Challenge fails due to DNS Propagation being too slow.
+* Add: Set custom resolver for the DNS Challenge in the DNS Provider tab.
 
 1.6.2
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
index 738419d5c..b296f9117 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
@@ -51,6 +51,12 @@
         <label>DNS Propagation</label>
         <collapse>true</collapse>
     </field>
+    <field>
+        <id>caddy.general.TlsDnsPropagationResolvers</id>
+        <label>Resolvers</label>
+        <type>text</type>
+        <help><![CDATA[Leave empty to use the system resolvers (default). Resolvers customizes the DNS resolvers used when performing the DNS challenge; these take precedence over system resolvers or any default ones. If set here, the resolvers will propagate to all configured certificate issuers. If the system resolvers use DNS over TLS, setting an external resolver here is required or the DNS challenge will fail.]]></help>
+    </field>
     <field>
         <id>caddy.general.TlsDnsPropagationTimeout</id>
         <label>Disable Propagation Timeout</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index f61d5c937..4b3e91a56 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -70,6 +70,9 @@
             <TlsDnsOptionalField3 type="TextField"/>
             <TlsDnsOptionalField4 type="TextField"/>
             <TlsDnsPropagationTimeout type="BooleanField"/>
+            <TlsDnsPropagationResolvers type="NetworkField">
+                <NetMaskAllowed>N</NetMaskAllowed>
+            </TlsDnsPropagationResolvers>
             <accesslist type="ModelRelationField">
                 <Model>
                     <reverseproxy>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 32d33f062..673fd397c 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -319,36 +319,38 @@
 #   - @param dnsSecretApiKey (string, optional): A secret API key or token for additional security, depending on the provider.
 #   - @param TlsDnsOptionalField1 to 4 (string, optional): Additional fields for specific DNS provider configurations.
 #   - @param TlsDnsPropagationTimeout (boolean, optional): Disables Propagation Timeout for DNS Challenge.
+#   - @param TlsDnsPropagationResolvers (string, optional): Set custom nameserver for DNS Challenge.
 #}
-{% macro tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4, TlsDnsPropagationTimeout) %}
-    {% if dnsChallenge == "1" and dnsProvider %}
-        {% if dnsProvider in dnsProviderSpecialConfig %}
-            tls {
-                issuer acme {
-                    dns {{ dnsProvider }} {
-                        {% include "OPNsense/Caddy/includeDnsProvider" %}
-                    }
-                    {% if TlsDnsPropagationTimeout|default("0") == "1" %}
-                        propagation_delay 30s
-                        propagation_timeout -1
-                    {% endif %}
+{% macro tls_configuration(
+    customCert,
+    dnsChallenge,
+    dnsProvider,
+    dnsApiKey,
+    dnsSecretApiKey,
+    tlsDnsOptionalField1,
+    tlsDnsOptionalField2,
+    tlsDnsOptionalField3,
+    tlsDnsOptionalField4,
+    tlsDnsPropagationTimeout,
+    tlsDnsPropagationResolvers
+) %}
+    {% if customCert or (dnsChallenge == "1" and dnsProvider) %}
+        tls {% if customCert %}/var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.pem /var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.key{% endif %} {% if not customCert and dnsChallenge == "1" and dnsProvider %}{
+            issuer acme {
+                dns {{ dnsProvider }} {% if dnsProvider not in dnsProviderSpecialConfig %}{{ dnsApiKey }}{% else %}{
+                    {% include "OPNsense/Caddy/includeDnsProvider" %}
                 }
+                {% endif %}
+
+                {% if tlsDnsPropagationResolvers %}
+                resolvers {{ tlsDnsPropagationResolvers }}
+                {% endif %}
+                {% if tlsDnsPropagationTimeout|default("0") == "1" %}
+                propagation_delay 30s
+                propagation_timeout -1
+                {% endif %}
             }
-        {% else %}
-            tls {
-                issuer acme {
-                    {# Other DNS Providers fall under this default #}
-                    dns {{ dnsProvider }} {{ dnsApiKey }}
-                    {% if TlsDnsPropagationTimeout|default("0") == "1" %}
-                        propagation_delay 30s
-                        propagation_timeout -1
-                    {% endif %}
-                }
-            }
-        {% endif %}
-    {% endif %}
-    {% if customCert %}
-        tls /var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.pem /var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.key
+        }{% endif %}
     {% endif %}
 {% endmacro %}
 
@@ -558,8 +560,21 @@
             {% endif %}
             {% set customCert = reverse.CustomCertificate|default("") %}
             {% set dnsChallenge = reverse.DnsChallenge|default("0") %}
-            {% set TlsDnsPropagationTimeout = generalSettings.TlsDnsPropagationTimeout %}
-            {{ tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4, TlsDnsPropagationTimeout) }}
+            {% set tlsDnsPropagationTimeout = generalSettings.TlsDnsPropagationTimeout %}
+            {% set tlsDnsPropagationResolvers = generalSettings.TlsDnsPropagationResolvers %}
+            {{ tls_configuration(
+                customCert,
+                dnsChallenge,
+                dnsProvider,
+                dnsApiKey,
+                dnsSecretApiKey,
+                tlsDnsOptionalField1,
+                tlsDnsOptionalField2,
+                tlsDnsOptionalField3,
+                tlsDnsOptionalField4,
+                tlsDnsPropagationTimeout,
+                tlsDnsPropagationResolvers
+            ) }}
 
             {% if not reverse.accesslist %}
                 {% set basicauth_uuids = reverse.basicauth %}