diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index c34521a..31074af 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -16,6 +16,10 @@ nginx_ssl_buffer_size: 1400
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
 nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'
 
+# DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
+# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
+nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
+
 # install certbot + dependencies?
 # True unless you're in development and using "localhost" + snakeoil certs
 use_letsencrypt: True
diff --git a/roles/nginx/templates/https.j2 b/roles/nginx/templates/https.j2
index 29c490d..91de324 100644
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@@ -35,12 +35,7 @@
     # OCSP stapling...
     ssl_stapling on;
     ssl_stapling_verify on;
-    {% if linode_id is defined %}
-    # use Linode internal DNS
-    resolver 139.162.139.5 139.162.130.5 [2a01:7e01::5] [2a01:7e01::6];
-    {% else %}
-    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
-    {% endif %} {# end: linode_id #}
+    resolver {{ nginx_ssl_stapling_resolver }};
     {% endif %} {# end: use_letsencrypt #}
 
     # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and