Most enterprises run DNS in one of two suboptimal shapes. Either the master DNS server is the public-facing authoritative server — exposing version banners, config files and an attack surface that has no business being on the public internet — or the master sits behind a hand-rolled secondary list that is hard to keep current, hard to scale and harder to audit.
Both shapes leave the master server's CPU answering raw public queries. Under volumetric attack the master saturates; under heavy growth the master cannot scale horizontally; under change pressure the operator must coordinate manual slave updates. Each of these failure modes happens during incidents, when the team can least afford it.
The right architecture is the hidden master / serving slave pattern: master operates inside the secure zone, accepting AXFR/IXFR requests from authorized slaves and broadcasting NOTIFY messages on change; public-facing serving nodes pull the zone on a schedule, hold it in memory, and answer queries without consulting the master.
TR7 GTM Express Zone Acceleration implements this pattern natively: per-domain Express profiles, multi-master support, per-DC profile selection, NOTIFY-driven refresh, in-memory serving.
Express mode runs at the domain level — selected zones are AXFR-pulled from operator-defined master servers and held in TR7 process memory, with NOTIFY-driven incremental updates keeping the cache current.
The authoritative master DNS server is never directly exposed to public traffic. TR7 fronts the master, absorbs query volume, and isolates the master from attack surface, version disclosure and operational pressure.
First-sync AXFR pulls the full zone; subsequent updates use incremental IXFR. Master-side NOTIFY messages trigger immediate refresh — operators do not wait for the next polling interval to see a record change land.
Express profile lists multiple master addresses (IP+port). TR7 cycles or falls back across masters automatically. Operators run hot-standby masters or distinct regional masters and let TR7 handle the failover.
An Express profile's identifier pattern (regex or wildcard) automatically associates domains with the right master set. Operators do not bind domain-by-domain by hand; new domains matching the pattern fall under the profile.
Express Zone Acceleration brings the hidden-master serving-slave architecture into the TR7 GTM data plane with native AXFR/IXFR/NOTIFY support and per-DC profile flexibility.
Each DNS domain in TR7 GTM can independently choose whether it runs in Express mode or in directly-edited mode. Mixed-mode operation is fully supported on the same fleet — some zones are master-fed via AXFR, others are edited directly via TR7's record management UI.
Express profile carries an array of master addresses — IP and port per entry. TR7 attempts each master in order for AXFR/IXFR, providing automatic failover when a master is unreachable. Operators run hot-standby master pairs or geographically distributed master fleets behind one profile.
Different TR7 data centers can subscribe to different Express profiles for the same domain. Regional master architectures, signing-master separation, and read-only edge masters are all expressible without forking domain configuration.
Each Express profile defines an identifier pattern. Domains matching the pattern automatically inherit the profile, eliminating manual per-domain bind operations. New domains added to the master that match the pattern are picked up without operator action.
Once synchronized, zone records are held in process memory and answered without disk traversal, database lookup or upstream master query. The query path is optimized for tail-latency consistency under load.
When the upstream master sends a NOTIFY message indicating a zone change, TR7 immediately initiates an IXFR to pull the delta. Operators do not wait for SOA refresh timers to expire — propagation is event-driven on the order of seconds.
Zone transfer happens over standard DNS protocols. Refresh / retry / expire / minimum-TTL behaviour follows SOA record values, with operator override per Express profile. Bandwidth-aware scheduling avoids transfer storms across large fleets.
An advanced Lua filter executes against the inbound AXFR stream to transform records before they are committed to the local zone copy. Use cases: sanitizing internal records before public serving, applying regional substitution rules, or stripping experimental record types.
In Disaster Recovery mode, Express-mode zones behave correctly under failover: when a DC's master becomes unreachable, TR7 falls back to backup masters and continues serving the most recently synchronized records — never returning empty answers because the master is offline.
Operators see per-zone synchronization state: last successful AXFR/IXFR time, current SOA serial, NOTIFY arrival timestamp, and any sync errors. Drift between TR7's local copy and master is exposed before it causes a production incident.
Express mode operates together with master selection, SOA-driven refresh timers, NOTIFY listener configuration, AXFR stream filters, and DR fallback behaviour.
TR7 attempts master addresses in the order configured. On AXFR failure the next master is tried automatically. Health of master endpoints can be paired with TR7 GTM health check infrastructure so an unhealthy master is skipped without retry penalty.
The zone's SOA record provides default refresh, retry, expire, and minimum TTL semantics. Operators override these per Express profile when master-side SOA values are inappropriate for the serving infrastructure (for example, master SOA refresh is 4 hours but serving infrastructure needs 5-minute refresh).
TR7 listens for NOTIFY messages from the master. Source IP filters ensure only the registered master addresses can trigger an unscheduled refresh. Unauthorized NOTIFY attempts are logged for security review.
Lua-based stream filter runs in-process against incoming AXFR records. Filter scripts can rewrite, drop, or annotate records before commit. State persists across syncs (e.g., previous record content for change detection).
When different DCs have different Express profiles for the same domain, each DC pulls from its assigned master independently. Cross-DC drift is expected and tracked; operators choose whether to alert on drift or treat it as design intent.
In DR mode, Express zones contribute to failover decisions. The DR scenario can use master reachability as a condition. If the local DC's master is unreachable, the DR scenario may direct traffic to a backup DC whose master is still serving.
Master DNS server runs in a private security zone, never directly exposed. TR7 GTM nodes act as the public-facing slaves, absorbing all query traffic and isolating the master from internet attack surface.
Each region (EU, US, APAC) runs its own master DNS server. TR7 GTM nodes in each region use a regional Express profile pointing at the local master, minimizing transfer latency and cross-region bandwidth.
TR7's in-memory zone serving absorbs query floods that would otherwise saturate a traditional database-backed master. The master never sees the attack traffic; TR7's query path scales independently.
Master operator edits a record. Master sends NOTIFY to TR7 fleet. TR7 immediately initiates IXFR. New record is serving from memory within seconds — without operator action on the TR7 side.
See Express Zone Acceleration live: an authoritative master inside the secure zone, TR7 nodes on the public edge, zone changes propagating in seconds.