How do DMSS push notifications work?

[xlarons]

Hi,

Quite surprised that my DMSS app receives push notifications when I am away from home.

I can't view the footage without VPNing back home, which I expect.

But it makes me wonder how the notifications are getting to my phone, is the app and NVR connected to some sort of "Dahua cloud" which does it?

 

[wittaj]

If you have P2P enabled that is how. Or you port-forwarded.

 

[xlarons]

If you have P2P enabled that is how. Or you port-forwarded.

Definitely not port forwarding, but p2p......hmm.....Gonna check now. Don't know what that is but don't like the sound of it

@wittaj yep, p2p was on. Turned it off whislt I'm Gonna read up on what it is and what security risk it presents

Interesting when I went to turn p2p off it said this "P2P connection is different from mobile push function. If you want to stop pushing alarm information to remote client, please go to SETTING->SECURITY->System Service->Basic Services and disable the function of "Mobile Push Notifications"."

 

[xlarons]

I don't suppose you know what these things open up please @wittaj ?

If the top box "mobile push notifications" is on, even if p2p and upnp are off, it works. Curious to know what holes these punch in my security

 

[awonson]

@xlarons, I have P2P turned off and don’t use port forwarding. I have blocked all internet access to and from my cameras and NVR via my firewall. I have allowed port 587 for email outgoing from cameras and NVR. Also allow ports 8888 and 2195 outgoing from cameras and NVR for the DMSS notifications. I receive DMSS notifications when my iPhone is on the local LAN and when I am on cellular. When on cellular, I access my cameras and NVR via VPN. I run WireGuard and OpenVPN VPNs from two Raspberry Pi. I am running a syslog server and whenever there is a notification from a camera or NVR, the syslog server shows me the messages from the firewall - traffic out on 587 to my email provider and traffic out on ports 8888 to an Amazon Web Server address for the notification and traffic out to an Apple network 17.188. 170. 138 on port 2195 For the notifications. My firewall logs all messages to my syslog server and the only traffic that leaves my cameras and NVR is through the three ports outlined above that I have permiited. I am using a Ubiquiti USG Pro 4 as my router. in my cameras and NVR I have “mobile push notifications“ enabled.

 

[xlarons]

@xlarons, I have P2P turned off and don’t use port forwarding. I have blocked all internet access to and from my cameras and NVR via my firewall. I have allowed port 587 for email outgoing from cameras and NVR. Also allow ports 8888 and 2195 outgoing from cameras and NVR for the DMSS notifications. I receive DMSS notifications when my iPhone is on the local LAN and when I am on cellular. When on cellular, I access my cameras and NVR via VPN. I run WireGuard and OpenVPN VPNs from two Raspberry Pi. I am running a syslog server and whenever there is a notification from a camera or NVR, the syslog server shows me the messages from the firewall - traffic out on 587 to my email provider and traffic out on ports 8888 to an Amazon Web Server address for the notification and traffic out to an Apple network 17.188. 170. 138 on port 2195 For the notifications. My firewall logs all messages to my syslog server and the only traffic that leaves my cameras and NVR is through the three ports outlined above that I have permiited. I am using a Ubiquiti USG Pro 4 as my router. in my cameras and NVR I have “mobile push notifications“ enabled.

That's awesome, I think I need a router capable of this level of adjustment of the firewall.