diff --git a/bdns/servers.go b/bdns/servers.go
index 688f293a0..090cf0119 100644
--- a/bdns/servers.go
+++ b/bdns/servers.go
@@ -105,9 +105,6 @@ type dynamicProvider struct {
 	// a hostname it will be resolved via the system DNS. If the port is left
 	// unspecified it will default to '53'. If this field is left unspecified
 	// the system DNS will be used for resolution of DNS backends.
-	//
-	// TODO(#6868): Make this field required once 'dnsResolver' is removed from
-	// the boulder-va JSON config in favor of 'dnsProvider'.
 	dnsAuthority string
 	// service is the service name to look up SRV records for within the domain.
 	// If this field is left unspecified 'dns' will be used as the service name.
@@ -189,19 +186,15 @@ func StartDynamicProvider(c *cmd.DNSProvider, refresh time.Duration) (*dynamicPr
 		service = "dns"
 	}
 
-	// TODO(#6868): Make dnsAuthority required once 'dnsResolver' is removed
-	// from the boulder-va JSON config in favor of 'dnsProvider'.
-	dnsAuthority := c.DNSAuthority
-	if dnsAuthority != "" {
-		host, port, err := ParseTarget(dnsAuthority, "53")
-		if err != nil {
-			return nil, err
-		}
-		dnsAuthority = net.JoinHostPort(host, port)
-		err = validateServerAddress(dnsAuthority)
-		if err != nil {
-			return nil, err
-		}
+	host, port, err := ParseTarget(c.DNSAuthority, "53")
+	if err != nil {
+		return nil, err
+	}
+
+	dnsAuthority := net.JoinHostPort(host, port)
+	err = validateServerAddress(dnsAuthority)
+	if err != nil {
+		return nil, err
 	}
 
 	dp := dynamicProvider{
@@ -222,7 +215,7 @@ func StartDynamicProvider(c *cmd.DNSProvider, refresh time.Duration) (*dynamicPr
 
 	// Update once immediately, so we can know whether that was successful, then
 	// kick off the long-running update goroutine.
-	err := dp.update()
+	err = dp.update()
 	if err != nil {
 		return nil, fmt.Errorf("failed to start dynamic provider: %w", err)
 	}
@@ -261,17 +254,12 @@ func (dp *dynamicProvider) update() error {
 	ctx, cancel := context.WithTimeout(context.Background(), dp.refresh/2)
 	defer cancel()
 
-	// If dnsAuthority is specified, setup a custom resolver to use it
-	// otherwise use a default system resolver.
-	resolver := net.DefaultResolver
-	if dp.dnsAuthority != "" {
-		resolver = &net.Resolver{
-			PreferGo: true,
-			Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
-				d := &net.Dialer{}
-				return d.DialContext(ctx, network, dp.dnsAuthority)
-			},
-		}
+	resolver := &net.Resolver{
+		PreferGo: true,
+		Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
+			d := &net.Dialer{}
+			return d.DialContext(ctx, network, dp.dnsAuthority)
+		},
 	}
 
 	// RFC 2782 formatted SRV record being queried e.g. "_service._proto.name."
diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
index 8994b9b20..63495d734 100644
--- a/cmd/boulder-va/main.go
+++ b/cmd/boulder-va/main.go
@@ -27,8 +27,7 @@ type Config struct {
 		// before giving up. May be short-circuited by deadlines. A zero value
 		// will be turned into 1.
 		DNSTries                  int
-		DNSResolver               string           `validate:"required_without=DNSProvider,excluded_with=DNSProvider,omitempty,hostname|hostname_port"`
-		DNSProvider               *cmd.DNSProvider `validate:"required_without=DNSResolver,excluded_with=DNSResolver,omitempty"`
+		DNSProvider               *cmd.DNSProvider `validate:"required"`
 		DNSTimeout                config.Duration  `validate:"required"`
 		DNSAllowLoopbackAddresses bool
 
@@ -81,22 +80,8 @@ func main() {
 	}
 	clk := cmd.Clock()
 
-	// TODO(#6868) Remove this once all instances of VA.DNSResolver have been
-	// removed from production config files.
-	if c.VA.DNSResolver != "" && c.VA.DNSProvider != nil {
-		cmd.Fail("Cannot specify both 'dnsResolver' and dnsProvider")
-	}
-
-	if c.VA.DNSResolver == "" && c.VA.DNSProvider == nil {
-		cmd.Fail("Must specify either 'dnsResolver' or dnsProvider")
-	}
-
-	if c.VA.DNSProvider == nil && c.VA.DNSResolver != "" {
-		c.VA.DNSProvider = &cmd.DNSProvider{
-			SRVLookup: cmd.ServiceDomain{
-				Domain: c.VA.DNSResolver,
-			},
-		}
+	if c.VA.DNSProvider == nil {
+		cmd.Fail("Must specify dnsProvider")
 	}
 
 	var servers bdns.ServerProvider
diff --git a/cmd/config.go b/cmd/config.go
index 18213cf51..fbe0c7276 100644
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -525,10 +525,7 @@ type DNSProvider struct {
 	// a hostname it will be resolved via the system DNS. If the port is left
 	// unspecified it will default to '53'. If this field is left unspecified
 	// the system DNS will be used for resolution of DNS backends.
-	//
-	// TODO(#6868): Make this field required once 'dnsResolver' is removed from
-	// the boulder-va JSON config in favor of 'dnsProvider'.
-	DNSAuthority string `validate:"omitempty,ip|hostname|hostname_port"`
+	DNSAuthority string `validate:"required,ip|hostname|hostname_port"`
 
 	// SRVLookup contains the service and domain name used to construct a SRV
 	// DNS query to lookup DNS backends. 'Domain' is required. 'Service' is
diff --git a/test/config/va-remote-a.json b/test/config/va-remote-a.json
index 2c948ea69..5c5f647cf 100644
--- a/test/config/va-remote-a.json
+++ b/test/config/va-remote-a.json
@@ -3,7 +3,13 @@
 		"userAgent": "boulder-remote-a",
 		"debugAddr": ":8011",
 		"dnsTries": 3,
-		"dnsResolver": "service.consul",
+		"dnsProvider": {
+			"dnsAuthority": "consul.service.consul",
+			"srvLookup": {
+				"service": "dns",
+				"domain": "service.consul"
+			}
+		},
 		"dnsTimeout": "1s",
 		"dnsAllowLoopbackAddresses": true,
 		"issuerDomain": "happy-hacker-ca.invalid",
diff --git a/test/config/va-remote-b.json b/test/config/va-remote-b.json
index 3daf84b2d..79595b73d 100644
--- a/test/config/va-remote-b.json
+++ b/test/config/va-remote-b.json
@@ -3,7 +3,13 @@
 		"userAgent": "boulder-remote-b",
 		"debugAddr": ":8012",
 		"dnsTries": 3,
-		"dnsResolver": "service.consul",
+		"dnsProvider": {
+			"dnsAuthority": "consul.service.consul",
+			"srvLookup": {
+				"service": "dns",
+				"domain": "service.consul"
+			}
+		},
 		"dnsTimeout": "1s",
 		"dnsAllowLoopbackAddresses": true,
 		"issuerDomain": "happy-hacker-ca.invalid",
diff --git a/test/config/va.json b/test/config/va.json
index 5d566110e..36d36f307 100644
--- a/test/config/va.json
+++ b/test/config/va.json
@@ -3,7 +3,13 @@
 		"userAgent": "boulder",
 		"debugAddr": ":8004",
 		"dnsTries": 3,
-		"dnsResolver": "service.consul",
+		"dnsProvider": {
+			"dnsAuthority": "consul.service.consul",
+			"srvLookup": {
+				"service": "dns",
+				"domain": "service.consul"
+			}
+		},
 		"dnsTimeout": "1s",
 		"dnsAllowLoopbackAddresses": true,
 		"issuerDomain": "happy-hacker-ca.invalid",