Have to restart Server DNS every time we try to send a dental case.

thecomputerguy

Well-Known Member
Reaction score
1,366
I posted this awhile back but I can't find the original post.

I have a dental client that uses a software called 3shape which allows them to take 3d image scans of people mouth's. Once the scan is complete they send the results over to a dental lab for processing.

One day it stopped sending the cases and basically just said check your internet connection. I went through hours of troubleshooting myself and with the vendor and we could not figure it out until I just so happened to restart the DNS service on our Domain Controller and what do you know ... it sent!

One time.

Currently this issue re-occurs after every scan is sent and I have to restart the DNS service every single time to get the scan to send. Thankfully they only do a couple of these a week but I can't figure out for the life of me how to permanently resolve this.

Things that don't fix it:

Restarting
Disable/Enable network adapter
Changing the DNS of the local machine to 8.8.8.8
Changing the DNS of the local machine to 1.1.1.1
ipconfig /flushdns

The only thing that does fix it is to login to the server and restart the DNS service regardless of what the DNS is set as on the local station, then it will send one scan, and I have to repeat this process for each subsequent scan.

I can't have the users logging into the server and restarting DNS every time, that's asking for trouble.

Is there a way to restart the DNS service on the Server from the local workstation without having to login to the server as a means to allow them to do it so I don't have to do it every time? Like a bat file I can make on the local station?

Any thoughts on troubleshooting measures to fix this permanently?

After I found out how to fix it the vendor basically said .. C YA... UR PROBLEM NOW
 
1. Are the workstations on the DC?
2. When you get a fail to send what is the message/action?
3. Can you go to a webpage when it fails?
4. Did you try to see if DNS is working by ping google.com when it fails?
5. What version server?
6. Do you have quad 8 as a secondary DNS?
7. How are the machines getting IP's?
8. Have you cleared the DNS cache on server?
 
Where does the SMTP occur? You say it sends the results over to a dental lab...I'm assuming it's using some secured SMTP for that. Or...define how that happens.

So..checking how TCP/IP is set up,

Server, for example
IP of 192.168.10.11
subnet 255.255.255.0
Gateway 192.168.10.1

Primary DNS 192.168.10.11 (or..127.0.0.1)
Secondary DNS...nothing...(unless you have additional DCs on the LAN)

Now, workstations, example
IP of 192.168.10.100
Subnet of 255.255.255.0
Gateway of 192.168.10.1

Primary DNS 192.168.10.11
Secondary DNS...nothing...(unless you have additional DCs on the LAN)

Now...on the server, you fire up DNSMGMT.MSC....and set the DNS forwarders to the public DNS of your choice. Many people us the ISPs DNS servers for this, or..Google DNS. I prefer to always use a safe DNS service for this. In the past it was OpenDNSs free servers, but I started using Quad9 for this. Or...if I have the client on DNS Filter...I use theirs.

And..on the server, fire up event viewer....drill down and look...
 
DNS filter can only be used if you have an account with them, where you whitelist your WAN IP.
Else, put in 9.9.9.9 and you're fine with just that one. (Quad9 is very fast, redundant, free and filters malware/phishing/other bad stuff)..best free safe DNS service by far.

1715286533121.png
 
The only thing I've seen collide with the DNS Server service....is Quickbooks database server manager....and only during bootup (plenty of articles out there on fixing that). Never collides...once booted up. So I'm curious how this dental software you're dealing with..crashes it.

Of course once the DNS Server service on the DC stops...active directory 'tween server and workstations is broken...dead. And..browsing.
 
I'll take all this info on the next go around which I'm sure will be this week. I'm not sure what protocol they use for sending the data ... I think it's FTP actually but I don't have any open ports for FTP on the firewall.

I think adding the forwarders is a really great idea ... I have none currently for this server.
 
I think it's FTP actually but I don't have any open ports for FTP on the firewall.
Generally speaking ports opened on a edge device is for unsolicited incoming requests. Outgoing requests of common services are "generally" allowed unless the site has really locked things down. Under typical settings the outgoing request automatically allows return traffic to the IP in use on the LAN.

I'd venture a 3d file like mentioned might be large compared to traditional emails. If they are not seeing an email client launch then they would need built in SMTP client. Given todays email security i'd think that would be difficult and expensive to maintain unless they leverage a 3rd party solution.
 
Last edited:
Generally speaking ports opened on a edge device is for unsolicited incoming requests. Outgoing requests of common services are "generally" allowed unless the site has really locked things down. Under typical settings the outgoing request automatically allows return traffic to the IP in use on the LAN.

I'd venture a 3d file like mentioned might be large compared to traditional emails. If they are not seeing an email client launch then they would need built in SMTP client. Given todays email security i'd think that would be difficult and expensive to maintain unless they leverage a 3rd party solution.
FTP is the problematic one though. Active FTP would require a port for the data connection opened, so hopefully a dev wouldn't choose that. Even with passive, firewalls that do any kind of inspection hate it. FTPS is not a fun time with clients, I'm sure SFTP would be much smoother.

Hopefully they're not using SMTP, but I've seen old transfer processes using it. Building an SMTP client typically isn't an issue (though that might depend on the language) since there are open source ones available. It's more SMTP server and credentials. Say you're using Sendgrid as an SMTP server (though you'd probably be better off just using their HTTP endpoint instead) the credentials need to be saved somewhere. Hardcoding one set of credentials into the code is a bad idea. It would technically be possible for any client to access the shared credentials. Making unique credentials per client that is entered as config during setup is better, but you'd still have a lot more work to do to make sure you're not providing a SMTP relay to be used for anything. FTP would be better, providing everyone has their own credentials. For SMTP, you could make them rely on their own email, which means they sign in to their provider and you save a refresh token and have to prompt to sign in again if the refresh token ends up expired. Might depend on the language and email provider for how easy that is to do. (Which libraries they provide)

Though, personally I'd just prefer HTTPS. It could just be uploaded to blob storage using a short lived token, but you would still need a mechanism for them to get that token, assuming we are talking about a mostly on prem app that isn't already authenticating with the vendor's API.
 
DNS filter can only be used if you have an account with them, where you whitelist your WAN IP.
Else, put in 9.9.9.9 and you're fine with just that one. (Quad9 is very fast, redundant, free and filters malware/phishing/other bad stuff)..best free safe DNS service by far.

View attachment 16266

Alright so good news ... They contacted me today with the same issue and I logged into the server and added 8.8.8.8 and 8.8.4.4 as forwarders. Once I hit OK I then attempted to send the case and IT SENT!

It sent without having to restart the DNS service! That is of course unless adding forwarders causes the DNS server to restart itself (which I'm hoping is not the case).
 
So...by default, the DNS Server service will forward to the ROOT HINT servers...but I've seen that be...sluggish.
So I've always plugged in the public DNS servers of my choice....and for the past 15 years it's been "safe DNS services"..that filter out known malware/phishing/other-bad-crap sites. Way in the past it was OpenDNS's free servers, 208.67.222.222 and .220.220 but once ShitSco (cisco) bought they started making the free ones less effective. So I found Quad 9 servers (9.9.9.9)...and use those. It's another layer of protect that cuts down on malware related calls/emergencies. Which is better for me. Googles do not filter bad stuff.
 
So...by default, the DNS Server service will forward to the ROOT HINT servers...but I've seen that be...sluggish.
So I've always plugged in the public DNS servers of my choice....and for the past 15 years it's been "safe DNS services"..that filter out known malware/phishing/other-bad-crap sites. Way in the past it was OpenDNS's free servers, 208.67.222.222 and .220.220 but once ShitSco (cisco) bought they started making the free ones less effective. So I found Quad 9 servers (9.9.9.9)...and use those. It's another layer of protect that cuts down on malware related calls/emergencies. Which is better for me. Googles do not filter bad stuff.

Good to know ... I'll give 9.9.9.9 a try too ...

I've also heard in the past 1.1.1.1 and 1.1.2.2 Have some filtering too?
 
Not "too"...you either use a safe dns service, or not. Don't mix. If one "blocks"" a request..the client may not be satisfied and they'll query the secondary DNS server (if provided by one). So...do ...not...mix. If you want to do it right.

Cloudflare is...decent. From the reviews I've read..of safe DNS services, Q9 was the winner of the free services. (and even beat some paid ones). Most recent comparison I read was from Tom Lawrence.
 
So...by default, the DNS Server service will forward to the ROOT HINT servers...but I've seen that be...sluggish.
So I've always plugged in the public DNS servers of my choice....and for the past 15 years it's been "safe DNS services"..that filter out known malware/phishing/other-bad-crap sites. Way in the past it was OpenDNS's free servers, 208.67.222.222 and .220.220 but once ShitSco (cisco) bought they started making the free ones less effective. So I found Quad 9 servers (9.9.9.9)...and use those. It's another layer of protect that cuts down on malware related calls/emergencies. Which is better for me. Googles do not filter bad stuff.
THIS.

As I have gotten more and more into servers I have learned about such things as this. In the end it always comes down to DNS. Using more of Quad 9 as well.
 
Just to follow up I can confirm that the issue has not re-occurred since I added those DNS forwarders and that was exactly one week ago. I should have heard from them by now if they were still having issues.
 
Back
Top