From 04891913f8ca2c2fa90ca519edb907158937632e Mon Sep 17 00:00:00 2001
From: Kevin Wang <wy721@qq.com>
Date: Sun, 25 Jan 2026 10:21:59 +0000
Subject: [PATCH] gateway: add configurable DNS TXT resolve timeout

Add a new `dns_resolve` timeout setting in the proxy timeouts config
to prevent DNS TXT record lookups from hanging indefinitely when
resolving app addresses.

Default timeout is 5 seconds, configurable via gateway.toml:
  [core.proxy.timeouts]
  dns_resolve = "5s"
---
 gateway/gateway.toml                | 2 ++
 gateway/src/config.rs               | 4 ++++
 gateway/src/proxy/tls_passthough.rs | 4 +++-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/gateway/gateway.toml b/gateway/gateway.toml
index cf704b5c..d3e5816b 100644
--- a/gateway/gateway.toml
+++ b/gateway/gateway.toml
@@ -79,6 +79,8 @@ handshake = "5s"
 
 # Timeout for top n hosts selection
 cache_top_n = "30s"
+# Timeout for DNS TXT record resolution (app address lookup).
+dns_resolve = "5s"
 
 # Enable data transfer timeouts below. This might impact performance. Turn off if
 # bad performance is observed.
diff --git a/gateway/src/config.rs b/gateway/src/config.rs
index 3b990795..9c81ca8e 100644
--- a/gateway/src/config.rs
+++ b/gateway/src/config.rs
@@ -99,6 +99,10 @@ pub struct Timeouts {
     #[serde(with = "serde_duration")]
     pub cache_top_n: Duration,
 
+    /// Timeout for DNS TXT record resolution (app address lookup).
+    #[serde(with = "serde_duration")]
+    pub dns_resolve: Duration,
+
     pub data_timeout_enabled: bool,
     #[serde(with = "serde_duration")]
     pub idle: Duration,
diff --git a/gateway/src/proxy/tls_passthough.rs b/gateway/src/proxy/tls_passthough.rs
index e2cea9d0..6184c1b5 100644
--- a/gateway/src/proxy/tls_passthough.rs
+++ b/gateway/src/proxy/tls_passthough.rs
@@ -79,8 +79,10 @@ pub(crate) async fn proxy_with_sni(
 ) -> Result<()> {
     let ns_prefix = &state.config.proxy.app_address_ns_prefix;
     let compat = state.config.proxy.app_address_ns_compat;
-    let addr = resolve_app_address(ns_prefix, sni, compat)
+    let dns_timeout = state.config.proxy.timeouts.dns_resolve;
+    let addr = timeout(dns_timeout, resolve_app_address(ns_prefix, sni, compat))
         .await
+        .context("DNS TXT resolve timeout")?
         .context("failed to resolve app address")?;
     debug!("target address is {}:{}", addr.app_id, addr.port);
     proxy_to_app(state, inbound, buffer, &addr.app_id, addr.port).await