Most organizations spend years tuning their HTTP load balancing strategy, building deep WAAP protection for web traffic, and yet treat their DNS infrastructure as a single recursive server with a static IP. That single server becomes both a performance bottleneck and a high-value attack target.
On the performance side, a slow DNS layer pushes latency into every user-facing transaction. Without proper load balancing, a saturated resolver delays every downstream lookup — and traditional anycast-based DNS clusters are difficult to manage in private datacenters where on-prem control is required.
On the security side, attackers know that DNS is rarely inspected. DNS tunneling tools extract gigabytes of data through innocuous-looking TXT records; DGA-powered malware reaches out to thousands of randomly generated domains looking for command-and-control; DNS amplification campaigns abuse open resolvers as reflection vectors; and stub clients on guest networks query whatever upstream resolver they like, bypassing every other security control the organization has put in place.
TR7 DNS Firewall and Load Balancer treats DNS as a first-class application protocol that deserves the same load balancing, health management, caching and security policy enforcement that HTTP services already receive.
TR7 treats DNS as a first-class application protocol: queries get full load balancing and health-aware delivery from the ADC side, and they pass through a policy engine from the WAAP side — without leaving the same gateway.
Multiple algorithms — round-robin, least-outstanding, consistent hash, weighted random and weighted hash — distribute DNS queries across resolver or authoritative pools. Each algorithm is matched to the workload: round-robin for symmetric pools, least-outstanding for variable backend response times, consistent hash for cache-affinity scenarios.
Configurable health checks probe DNS backends continuously — UDP query checks, TCP query checks, custom name resolution checks. Unhealthy servers drop out of rotation in seconds; recovery brings them back automatically. The same health model that the rest of TR7 uses for HTTP pools applies to DNS pools.
Per-rule matching on query name, query type, source IP, EDNS options, regular expressions and combinations of these. Actions include block, drop, refuse, truncate, spoof a controlled answer, route to a different pool or tag the query for downstream inspection. Policy is evaluated before the query is sent to any backend.
Rate limits can be applied per source IP, per query name, per query type or per combined dimension. Dynamic blocks automatically activate when traffic patterns cross operator-defined thresholds — a single source flooding the gateway with NXDOMAIN queries is throttled or temporarily blocked without operator intervention.
The TR7 DNS Firewall and Load Balancer brings the full TR7 traffic-management philosophy — load balancing, health checks, caching, policy and observability — to the DNS protocol.
Round-robin for uniform pools, least-outstanding for backends with variable response time, consistent hash and weighted hash for cache-affinity scenarios where the same query should reach the same backend, and weighted random for gradual traffic shifts. Each vService picks its own algorithm; algorithms can be changed live without restart.
Internal corporate domains can resolve through one pool, public domains through another, partner zones through a third. Per-pool routing rules direct queries based on QName patterns, source IP ranges or matched policy tags. The same gateway serves multiple DNS architectures cleanly.
TCP and UDP DNS query probes, custom name resolution probes, and timing-based response checks continuously verify backend health. Threshold parameters define how many failed checks trigger removal and how many successful checks reinstate a backend. Slow backends can be removed even when they answer — preventing user-visible latency.
Frequently requested records are cached at the gateway with TTL-aware invalidation. The cache respects DNSSEC where applicable and can be bypassed selectively for sensitive zones. Cache hit ratio is exposed in real-time metrics so operators see exactly how much load the gateway absorbs.
Firewall rules match on any combination of query name (exact, suffix, regex), query type (A, AAAA, TXT, MX, ANY, etc.), source IP, EDNS Client Subnet, EDNS options and request flags. Conditions can be combined with AND/OR logic. Rules are evaluated in operator-defined order with explicit allow/deny semantics.
Block returns a controlled error; drop silently discards; refuse returns REFUSED; truncate forces TCP fallback (useful against amplification); spoof returns a controlled answer (block by NXDOMAIN, redirect to a sinkhole, return a safe alternative); route sends the query to a different pool. Tag actions mark queries for downstream inspection without altering the response.
Pattern-based and statistical detection identifies queries against algorithmically generated domains (DGA malware C2) and unusual TXT/CNAME payloads characteristic of DNS-based data exfiltration. Detected queries can be blocked, sinkholed or logged-only for analyst review.
DNS amplification attacks abuse open resolvers to flood targets with reflected traffic. TR7 detects ANY queries, large response patterns and source-spoofing indicators, applying response rate limiting and source-validation actions before any reflection reaches the wire. The gateway never becomes an amplification vector.
Queries can be evaluated by source country, ASN, IP range or time window. Block-list, allow-list and conditional-action policies apply at the DNS layer the same way they apply at the HTTP layer in TR7 WAAP — using the same policy editor and the same enforcement model.
DNS over TLS (DoT, RFC 7858), DNS over HTTPS (DoH, RFC 8484) and DNS over QUIC (DoQ, RFC 9250) are terminated at the gateway. Certificate management uses the same TR7 certificate store as HTTP services. Modern stub resolvers and browser DoH clients connect natively.
ECS information passed by downstream resolvers can be honored, overridden, masked to a privacy-preserving prefix or stripped entirely. The behavior is per-policy, allowing privacy compliance for some flows while preserving geographic accuracy for others.
Every query, decision and action is written to a structured log stream with SIEM-compatible formatting. Real-time metrics expose query rate, response time, cache hit ratio, backend health and rule match counts. Operators see DNS traffic with the same observability depth that the rest of TR7 provides for HTTP.
DNS Firewall and Load Balancer is operated together with rule ordering, pool topology, cache tuning, transport-protocol choice and audit retention.
Firewall rules are evaluated top-down with first-match-wins by default. Per-rule tags allow downstream rules to act differently based on earlier matches. Explicit allow rules at the top of the chain pin known-good traffic before generic block rules apply, eliminating false positives in production.
Backend pools group resolvers by purpose: corporate internal, public recursion, partner zones, sinkhole pool. Per-pool routing rules direct queries based on QName, source IP or matched tags. Pool failover thresholds prevent a single unhealthy backend from absorbing all traffic.
Cache size, TTL behavior, ECS-aware caching and selective bypass for sensitive zones are all operator-controlled. Negative response caching (NXDOMAIN, NODATA) reduces backend load for high-NX-rate workloads typical of DGA-infected networks.
Plain UDP/TCP DNS, DoT, DoH and DoQ can be enabled per vService listener. Modern clients negotiate their preferred transport; older clients fall back to UDP. Certificate and cipher policy align with the central TR7 TLS profile pool.
Per-query audit records can be retained for compliance windows; sampling can be applied for high-volume environments. Structured JSON logs stream directly to SIEM. Operators choose between full retention, sampled retention and event-only retention per pool.
DNS sessions are stateless at the protocol level, so failover between active nodes is transparent for most queries. TCP DNS sessions and long DoH connections are coordinated across the HA pair to minimize disruption. Health-check state and cache state are managed independently per node.
Corporate resolvers serving the internal network gain rate limiting, query filtering, audit logging and high availability. Endpoints can no longer query arbitrary external resolvers; DGA-infected hosts are detected and blocked at the gateway.
Organizations operating public DNS services — ISPs, hosting providers, public-sector portals — terminate amplification attacks at the gateway. Rate limiting, source validation and response-pattern checks keep the resolver from being abused as a reflection vector.
Healthcare, financial and government networks add a detection layer for TXT-record-based exfiltration and tunneling techniques. Suspicious flows are sinkholed or logged with full session context for analyst review.
When TR7 GTM serves authoritative DNS for multi-region applications, the DNS Firewall and Load Balancer sits in front of GTM as a rate-limiting, caching and firewall layer. GTM stays focused on routing intelligence; the gateway absorbs hostile traffic.
Intelligent load balancing, active health checks, modern transports and a full firewall rule engine — all in one gateway. Let us walk you through a live setup on your DNS infrastructure.