queryTxt ETIMEOUT cluster0.mz4zy3m.mongodb.net means the Node MongoDB driver could not resolve the TXT DNS record for your SRV URI. This happens before any TCP connection to Atlas, so IP allow-list / credentials aren’t the root cause (those would produce different errors).

DNS resolution from the host actually running Node

# SRV records (hosts of the cluster)

nslookup -type=SRV _mongodb._tcp.cluster0.mz4zy3m.mongodb.net

# TXT record (SRV options)

nslookup -type=TXT cluster0.mz4zy3m.mongodb.net

If either times out → it’s a DNS resolver / firewall / VPN issue:

Switch your resolver to a public DNS (e.g. 1.1.1.1, 8.8.8.8).

Ensure outbound UDP/TCP 53 is allowed (corporate firewalls often block it).

If running in Docker, set DNS explicitly (compose: dns: [1.1.1.1,8.8.8.8]).

.env formatting (avoid hidden mistakes)

# Good: no spaces around "=", no surrounding quotes

MONGODB_URI=mongodb+srv://<username>:<password>@cluster0.mz4zy3m.mongodb.net/?retryWrites=true&w=majority&appName=Cluster0

With .env, spaces around = or stray quotes can break parsing.

Driver version

Use a current MongoDB Node driver via recent Mongoose (v7+). Old drivers had SRV quirks.

Quick workarounds if SRV/TXT isn’t resolvable

A) Use the non-SRV seedlist URL (bypasses TXT lookups).

In Atlas UI → Connect → Drivers → choose the “No SRV” connection string (starts with mongodb:// and lists multiple hosts + replicaSet, tls=true, etc.). Example:

MONGODB_URI=mongodb://<user>:<pass>@ac-abc.mongodb.net:27017,ac-def.mongodb.net:27017,ac-ghi.mongodb.net:27017/\

(Replica-set features work better with the full seedlist, so this is only a stopgap.)

This avoids the TXT lookup entirely.

B) Resolve SRV once, then pin a single host (temporary).

Find a host from the SRV query (when DNS works somewhere), then:

MONGODB_URI=mongodb://<user>:<pass>@ac-abc.mongodb.net:27017/?tls=true&authSource=admin

(Replica-set features work better with the full seedlist, so this is only a stopgap.)

your code already fine.