diff --git a/gateway/gateway.toml b/gateway/gateway.toml
index cf704b5c..d3e5816b 100644
--- a/gateway/gateway.toml
+++ b/gateway/gateway.toml
@@ -79,6 +79,8 @@ handshake = "5s"
 
 # Timeout for top n hosts selection
 cache_top_n = "30s"
+# Timeout for DNS TXT record resolution (app address lookup).
+dns_resolve = "5s"
 
 # Enable data transfer timeouts below. This might impact performance. Turn off if
 # bad performance is observed.
diff --git a/gateway/src/config.rs b/gateway/src/config.rs
index 3b990795..9c81ca8e 100644
--- a/gateway/src/config.rs
+++ b/gateway/src/config.rs
@@ -99,6 +99,10 @@ pub struct Timeouts {
     #[serde(with = "serde_duration")]
     pub cache_top_n: Duration,
 
+    /// Timeout for DNS TXT record resolution (app address lookup).
+    #[serde(with = "serde_duration")]
+    pub dns_resolve: Duration,
+
     pub data_timeout_enabled: bool,
     #[serde(with = "serde_duration")]
     pub idle: Duration,
diff --git a/gateway/src/proxy/tls_passthough.rs b/gateway/src/proxy/tls_passthough.rs
index e2cea9d0..6184c1b5 100644
--- a/gateway/src/proxy/tls_passthough.rs
+++ b/gateway/src/proxy/tls_passthough.rs
@@ -79,8 +79,10 @@ pub(crate) async fn proxy_with_sni(
 ) -> Result<()> {
     let ns_prefix = &state.config.proxy.app_address_ns_prefix;
     let compat = state.config.proxy.app_address_ns_compat;
-    let addr = resolve_app_address(ns_prefix, sni, compat)
+    let dns_timeout = state.config.proxy.timeouts.dns_resolve;
+    let addr = timeout(dns_timeout, resolve_app_address(ns_prefix, sni, compat))
         .await
+        .context("DNS TXT resolve timeout")?
         .context("failed to resolve app address")?;
     debug!("target address is {}:{}", addr.app_id, addr.port);
     proxy_to_app(state, inbound, buffer, &addr.app_id, addr.port).await