Where do Dahua video feeds go to get to the app?

Forums › Gadgets, robotics, home automation, electronics (including wearables) › Where do Dahua video feeds go to get to the app?

neb

11294 posts

Uber Geek
+1 received by user: 10018

Trusted

Lifetime subscriber

#312102 17-Mar-2024 18:12

I've got a Dahua (legit, not Aliexpress) NVR that I use via the DMSS app and I'm trying to set up firewall rules to avoid false alarms from devices sending suspicious amounts of traffic outside the network. For most stuff it's pretty simple, device X is expected to send up to Y MB of traffic to this server, however with the NVR it sends stuff all over the place, dyn.cust.vf.net.nz addresses, vdsl.sparkbb.co.nz addresses, and some random IP blocks in Sydney. Viewing the video via the DMSS app then connects to the same IP address to grab the video, I'm assuming it's some sort of P2P mechanism, does anyone know what's going on here? If it is P2P and I'm one of the P's I'll VLAN it off even more than it already is.

rscole86

4999 posts

Uber Geek
+1 received by user: 462

Moderator

Trusted

Lifetime subscriber

#3207315 17-Mar-2024 19:57

I've got legit Dahua, from AliExpress, either way I wouldn't trust it on my main network while also connected to the internet.

IIRC it was trying to connect to an AWS host and Alibaba cloud.

It certainly was not connecting to anything local.

MadEngineer

4591 posts

Uber Geek
+1 received by user: 2570

Trusted

#3207321 17-Mar-2024 20:49

Don’t allow it to talk to the world at all. Your only means of connecting to it or anything at all on your home network should never be done with pin holes. Instead use a VPN.

You're not on Atlantis anymore, Duncan Idaho.

neb

11294 posts

Uber Geek
+1 received by user: 10018

Trusted

Lifetime subscriber

#3207324 17-Mar-2024 20:52

MadEngineer: Don’t allow it to talk to the world at all.

At which point the app stops working, which mostly defeats the whole point of having the thing.

lxsw20

3689 posts

Uber Geek
+1 received by user: 2174

Subscriber

#3207334 17-Mar-2024 21:46

Hence why they mentioned VPN.

neb

11294 posts

Uber Geek
+1 received by user: 10018

Trusted

Lifetime subscriber

#3207335 17-Mar-2024 21:49

lxsw20:
Hence why they mentioned VPN.

Which still won't work if they're using a P2P mechanism, which is why I was asking if anyone knew the details of what they're doing.

richms

29097 posts

Uber Geek
+1 received by user: 10205

Trusted

Lifetime subscriber

#3207339 17-Mar-2024 21:55

Notifications require it have internet access. If you block some and not all things trying to stop it from talking to weird places they will just decide that the cloud is unreachable and not even try to send anything out anymore.

Richard rich.ms

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

BadCo

109 posts

Master Geek
+1 received by user: 29

#3207353 18-Mar-2024 00:41

Time to selfhost your own NVR solution and firewall of a subnet for your cameras.

MadEngineer

4591 posts

Uber Geek
+1 received by user: 2570

Trusted

#3207426 18-Mar-2024 11:45

Do you not recall how you set the NVR up on the app of your phone? Eg did you scan a QR code?

Set up a VPN on your home network of your chosen flavour
Disable p2p in the nvr settings (eg “P2P SETTING” depending on model)
In the Dahua app add the NVR using its local address with your phone on wifi that can access the NVR
Disconnect your phone from wifi, connect to your vpn, test that you can access the nvr.

From memory there’s an old NVR hack that relies on the device detecting if you’re on a” local” ip address to reset the admin login. The hack however could be trivially implemented by having the browser report to the NVR that you’ve accessed it through a local (non-routable) IP. Just one example of how vulnerable these things are.

You're not on Atlantis anymore, Duncan Idaho.

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#3207492 18-Mar-2024 13:07

It may be getting missed here among the strong ways that were recommended don'ts?, But the major sales point these days isn't barebones cameras you pinhole and expose to the internet to look at sometimes.

It seems to be push api and realtime alerting/snapshots sent to management apps on your behalf across cloud networks the providers stand up. Merged in with apple construct etc.

You're trusting their cloud is secure sure, but seems that was the trade off to all the bad rap. And needing to setup separate email alerting, jump on a VPN. Then try using the interface remotely.

Movement when not home? Ping. There's movement. Here's an included screenshot your camera included for you and link to upnp back down the pipe to your nvr got to us on for playback.

Given hes monitoring this traffic should soon tell if it was doing strange stuff accessing it from outside.

neb

11294 posts

Uber Geek
+1 received by user: 10018

Trusted

Lifetime subscriber

#3207784 18-Mar-2024 23:07

MadEngineer: Set up a VPN on your home network of your chosen flavour

Then you don't get instant notifications and alerts any more, which again negates the major benefit of having the cameras.

This is why I asked "does anyone know what, if any, issues are involved in having the Dahua system manage it" rather than "how do I securely access the NVR remotely".