Dahua Camera DNS

[Probird79]

While in my router GUI I noticed in my system log that my camera (IPC-HDW4231EM-ASE) is trying to access an IP address that I'm unaware of. Looking up the IP address it seems to be associated with Comodo DNS.

Proto NATed Address                            Destination Address                      State
tcp   192.168.1.10:49918                       8.26.56.26:53                            TIME_WAIT
tcp   192.168.1.10:49919                       8.26.56.26:53                            TIME_WAIT

In the camera settings the Preferred DNS and Alternate DNS is 8.8.8.8 and 8.8.4.4 respectively (Google's DNS). Why is the camera trying to access this IP address?

 

[RJF]

Don't know, but I don't trust these cameras enough to let them communicate with the world so I have set up a firewall rule to drop all traffic except to two IP addresses: the address of my PC/NVR and the address of an external NTP time server.

 

[thatotherguy321]

Don't know, but I don't trust these cameras enough to let them communicate with the world so I have set up a firewall rule to drop all traffic except to two IP addresses: the address of my PC/NVR and the address of an external NTP time server.

would you mind explaining how to do that?

 

[RJF]

I could definitely tell you if you have Unifi network equipment. I can't guarantee I could help with other equipment, but happy to try. The first question is what do you have? Not all equipment has configurable firewalls.

 

[t84a]

Mine is only reaching out to the Google DNS that I entered. Are you sure that's not a clock server that you chose in the settings?

 

[thatotherguy321]

I could definitely tell you if you have Unifi network equipment. I can't guarantee I could help with other equipment, but happy to try. The first question is what do you have? Not all equipment has configurable firewalls.

I'm using a Asus RT-AC68U. I just did some digging into the settings. There is a section on firewalls. I'll have to read up on how to set that up. Would the settings be isolated to the router, or is there something I have to do with the switch too? There is no web gui for the switch, and my understanding is that traffic within the local network can go through the switch and skip the router completely. So are the firewall settings on the router still applicable?

 

[RJF]

I'm using a Asus RT-AC68U. I just did some digging into the settings. There is a section on firewalls. I'll have to read up on how to set that up.

In case helpful, what I did was create a group with all the IP addresses of the cameras and a group with the IP addresses of the PC/NVR and time server (that the cameras are permitted to communicate with). I then created a rule on LAN IN that will ACCEPT packets between those two groups and then a second rule (to be applied after the first) on LAN IN that will DROP any other packets originating from the camera group. I'm only familiar with the Unifi equipment but I'm reasonably certain that most firewalls are conceptually similar.

 

[Darkflame808]

On a rt-ac68u see if you have parental controls. If you do add the camera to the list and have it set so that it's banned from the internet 24/7. The camera can still talk to the router and to your pc it just can't access the Wan. This means you can't access via the cloud based apps either. But blue iris will work as you are taking to BI and the BI is talking to the camera on the internal network.

Hope this helps.

 

[Mike A.]

You can block access to the WAN directly with the AC68. On the router's network map screen that comes up first by default, click on the circle-button looking thing above where it says clients with a number. That will display a list of connected clients in the column to the right. Click on the entry for the cam. On the screen that comes up there's a button to toggle access to the Internet on/off. As above, that will limit access to the cam directly from outside your net (at least without some more complicated changes to iptables directly). You also can point the gateway on the cam to itself so I doesn't know where to go to get out anywhere and that will avoid cluttering up your router logs with those entries. Again, that may affect some things depending on how you're set up.

Not sure what setting on that cam might cause it but check under the tabs for network for P2P and anything else that doesn't need to be turned on. I don't have that cam and didn't notice that one specifically but on some of my other Dahua's firmware they'd still try to call out to various places no matter how you had things set. Most of that seems to have been cleaned up in more recent versions.

Oops... just noticed that it was someone else who had the AC68. Same likely applies in some way for most others though.

 

[Probird79]

Mine is only reaching out to the Google DNS that I entered. Are you sure that's not a clock server that you chose in the settings?

I'm using pool.ntp.org for NTP on port 123. pool.ntp.org pings 195.43.74.123. However I do believe I found out my answer described below.

On a rt-ac68u see if you have parental controls.

You unknowingly and indirectly helped solve my question. I have the same router (technically a tm-ac1900 that I flashed with Merlin firmware) and was looking in parental controls (it's under a larger group called AiProtection). A tab next to parental controls is called DNSFilter. I looked at that tab and I saw what's in my picture. I set up the AiProtection a while back and didn't think too much of it. So the DNS filter I'm (unknowingly/forgot about) using is Comodo. I don't know why the state of the camera is always TIME_WAIT though. Maybe it's due to to not having Comodo IP address in the DNS of the camera? All other devices (i.e. computer) selects the DNS automatically.

Edit: I removed the DNS filter for the camera so it could ping Google's DNS server. The log shows that it's pinging 8.8.8.8 now but its state is still TIME_WAIT.

 

[Probird79]

You can block access to the WAN directly with the AC68. On the router's network map screen that comes up first by default, click on the circle-button looking thing above where it says clients with a number. That will display a list of connected clients in the column to the right. Click on the entry for the cam. On the screen that comes up there's a button to toggle access to the Internet on/off. As above, that will limit access to the cam directly from outside your net (at least without some more complicated changes to iptables directly). You also can point the gateway on the cam to itself so I doesn't know where to go to get out anywhere and that will avoid cluttering up your router logs with those entries. Again, that may affect some things depending on how you're set up.

This is exactly how you can block any of your connected devices from the WAN. You won't be able to access your devices even with a VPN.

 

[Mike A.]

This is exactly how you can block any of your connected devices from the WAN. You won't be able to access your devices even with a VPN.

You can make it work via the VPN but it requires making explicit entries to pass that traffic from 10.8.0.x or whatever you use to your internal network using iptables. I'd have to dig a little for the commands but you can make it work if you need to. Also various other things at a more granular level using iptables to, for example, block everything outgoing for a cam/device but still permit it to access UDP on port 123 for NTP.

I think the TIME_WAIT state is pretty normal. You'll see that for lots of things as they idle after doing whatever packet exchange. The TIME_WAIT interval can be set in the OS and probably is just at a relatively high value in the cam.

 

[Probird79]

You can make it work via the VPN but it requires making explicit entries to pass that traffic from 10.8.0.x or whatever you use to your internal network using iptables. I'd have to dig a little for the commands but you can make it work if you need to. Also various other things at a more granular level using iptables to, for example, block everything outgoing for a cam/device but still permit it to access UDP on port 123 for NTP.

I think the TIME_WAIT state is pretty normal. You'll see that for lots of things as they idle after doing whatever packet exchange. The TIME_WAIT interval can be set in the OS and probably is just at a relatively high value in the cam.

That command might come in handy at some point in time if it's easily accessible.

I've now been reading a little about what the DNS IP addresses should be since my original post. I would think any appropriate DNS server IP address would be okay (hence why I left the default settings). Everything I've come across has said to make the Primary DNS the same as the Default Gateway (Routers IP address) and either zero out the Alternate DNS or use whatever other DNS server you want. What is the best method and why?

 

[RJF]

I recently invested in a good router (Unifi Security Gateway) with firewall capabilities and it has been well worth it. It is not that expensive but it is designed for IT professionals and takes some time to learn. I have IoT devices on a different subnet/vlan such that they can talk to the internet but they can't see or talk to any other device on their own or any other subnet. The cameras are also on their own subnet/vlan and allowed to talk to one specific time server and the PC/NVR but all other packets get dropped. Guests also on different vlan, etc. The main point being that I have my trusted devices (laptops/computers/phones) on their own vlan that all other devices are isolated from.

 

[Mike A.]

That command might come in handy at some point in time if it's easily accessible.

See for example here:

How to block ip camera from accessing the internet

If you search for "Asus iptables" you'll find more info.

I've now been reading a little about what the DNS IP addresses should be since my original post. I would think any appropriate DNS server IP address would be okay (hence why I left the default settings). Everything I've come across has said to make the Primary DNS the same as the Default Gateway (Routers IP address) and either zero out the Alternate DNS or use whatever other DNS server you want. What is the best method and why?

Functionally it doesn't make much difference as far as just having it work. As you say, any valid DNS server address will work. The alternate address is simply a backup for the first. The reason to use the IP of the router (or other similar device) is so that you have an easier, centralized way to manage things. If you point it to the router, then you only need to make whatever change in one place vs on each cam/device independently. By default DHCP-based addresses also will pull that value from the DHCP server/router. In some cases you might want it to be different for whatever reason.

Generally speaking there isn't much reason to have the cams looking to resolve outside addresses unless maybe you're using a P2P-type service or they're feeding some other service like a remote FTP or SMTP server that they're calling by name vs IP address. NTP you'll probably end up doing internally once you lock things down anyway and can call via IP address. Normally I just plug it with the cam's own IP or other nonsense values to keep them from being able to "phone home." That also keeps some of the clutter out of my logs since some try to make calls at ridiculous rates like every 10 seconds. Or alternately you might want to let them through so you can see what they're trying to do. In my case I run everything through a Pi Hole for centralized ad blocking and it just ends up being unnecessary noise.

 

[keneil01]

I recently invested in a good router (Unifi Security Gateway) with firewall capabilities and it has been well worth it. It is not that expensive but it is designed for IT professionals and takes some time to learn. I have IoT devices on a different subnet/vlan such that they can talk to the internet but they can't see or talk to any other device on their own or any other subnet. The cameras are also on their own subnet/vlan and allowed to talk to one specific time server and the PC/NVR but all other packets get dropped. Guests also on different vlan, etc. The main point being that I have my trusted devices (laptops/computers/phones) on their own vlan that all other devices are isolated from.

I just bought a USG and a UniFi switch my self, and are waiting for the cloud key to arrive. I have not started the config yet...

Do you have one vlan for the cameras and another for the dvr? I guess you are just forwarding the streams to the dvr vlan.

I looking forward to get started!!

 

[RJF]

I just bought a USG and a UniFi switch my self, and are waiting for the cloud key to arrive. I have not started the config yet...

Do you have one vlan for the cameras and another for the dvr? I guess you are just forwarding the streams to the dvr vlan.

I looking forward to get started!!

I'm sure there are multiple ways to do it but I think you would want the cameras and the NVR to be in the same vlan. At least that is how mine is set up.

 

[keneil01]

Thanks for your feedback RJF.

 

[Billl]

I just bought a USG and a UniFi switch my self, and are waiting for the cloud key to arrive.

BTW, from what I have heard about the Cloud Key, you'll want to be sure it is powered by a UPS, as they are prone to not coming back up properly after a power loss.

 

[keneil01]

BTW, from what I have heard about the Cloud Key, you'll want to be sure it is powered by a UPS, as they are prone to not coming back up properly after a power loss.

I'm all up running - and loving it It certainly was a steep learning curve! All my network gear are powered by UPS, so I should avoid corrupt database on the cloud key.