Question Question on DNS numbers

[Lost_in_the_HTTP]

Simple question, need just basic information, not a network manager level understanding.

I've picked up a few el-cheapo ChinaCameras ... $40-50 range. Nothing super advanced, but they give me various levels of pan, tilt and or zoom.

I've set my own IP addresses for my home network and the primary DNS is my router/modem address.

First question ... Can/should the Primary be something else?

Second question, what about the secondary DNS? It looks like they picked up the one from the router/modem, but should it be something else?

Not that I'm super paranoid, but I don't want the Chinese government watching me mow my lawn.

 

[ch33zw1z]

Not much of an easy answer here. You can set whatever dns server you want, doesn’t really matter.

If your goal is to block your cameras from calling home / being controlled, dns is only one way, and need to know where they’re calling home to.

the next, and real protection, is to block them from internet access

 

[Lost_in_the_HTTP]

the next, and real protection, is to block them from internet access

I'm planning on doing that since I don't have need to view them from elsewhere.

I only have the basic Windows stuff though ... Defender?

 

[ch33zw1z]

I'm planning on doing that since I don't have need to view them from elsewhere.

I only have the basic Windows stuff though ... Defender?

no, your pc doesn’t control your internet access , correct?

this would happen at a router level in most cases (firewall in advanced configs)

 

[Lost_in_the_HTTP]

Yeah, I'm thinking PC. Router does have some abilities to do some blocking. Actiontec T3260, but branded and firmware modified by the ISP.

 

[ch33zw1z]

Yeah, I'm thinking PC. Router does have some abilities to do some blocking. Actiontec T3260, but branded and firmware modified by the ISP.

im not sure you understood me. Your pc doesn’t control your internet access or devices access, to block internet for specific devices, you will need a router that has that capability, or to get one that does.

that could be a physical device like a ubiquitous, or a firewall, or a router OS like pfsense

 

[Tech Junky]

Pihole allows logging and blocking through a click or regex wild card. I block a ton of telemetry stuff that way.

 

[ch33zw1z]

Pihole allows logging and blocking through a click or regex wild card. I block a ton of telemetry stuff that way.

Yes, but not necessarily going to lock down a camera from remote access. Possible, but not full proof

IMO, the only real way to play it safe is to put the cameras on a vlan by themselves and block access to wan

 

[Tech Junky]

Well, VLAN would be one option but blocking DNS keep the cam from initiating a flow back to the home server and once you know where it's trying to go from the logs you can block it in the firewall by subnets from a whois lookup.

I wouldn't rely on a VL / DNS alone to block it but, it's a step in the right direction.

 

[mxnerd]

If OP was talking about device's DNS/gateway settings, just set static IP for each camera and don't enter DNS/gateway info or just enter 0.0.0.0 for all of them

security cameras don't need those info to work.

 

[Tech Junky]

security cameras don't need those info to work.

There's 2 reasons they might and 1 is calling home and the other might be for firmware/software updates. Otherwise I agree w/ disabling them from hitting the internet.

 

[mxnerd]

There's 2 reasons they might and 1 is calling home and the other might be for firmware/software updates.

Yep, that's the only time it might need those settngs. 99% of chance you don't need them unless the vendor designs its products that way, however.

PC's firmware update also does not require internet access while updaing.

 

[Tech Junky]

PC's firmware update also does not require internet access while updating.

My MOBO's can update over IP or USB. It's more of a pain through to do it over IP since I run multiple IF's over the CM in LACP and none of them are the on board NIC because it's temperamental with Linux until the proper drivers load. With the CM though you have to power cycle it any time you change the IF / MAC and it's just a nuisance to deal with.

Now I have some other devices that need periodic updates that require a USB connection to update them in which case it would be nice to do an OTA update instead because they're mini/micro USB and need to find the cables or use an adapter on them to get the SW/FW loaded.

Laptop is probably the easiest of them all you download the EXE and run it and it reboots into UEFI update mode and then reboots when done and back to normal.

 

[mxnerd]

I always update firmware with downloaded file. I will never trust online firmware update unless it's the only way.

 

[Tech Junky]

downloaded files work as long as you have power and don't rely on the connection which can be helpful. I run into issues occasionally when updating the kernel on my server and need to rollback offline when it takes a dump. I keep the last working files in the / directory and have a script saved there as well to mount everything for the system to rollback.

Automagic application of updates on things like routers though tend to be more of a PITA when trying to narrow down issues that can be caused by them. Seems most consumers like to not think about this sort of thing and then scream bloody murder when their network gets jacked by a bad firmware image that was applied overnight.

 

[Lost_in_the_HTTP]

I'm reasonable certain these cheap ChinaCams will never get a firmware update, so if setting to 0s will still allow me to view amd login/manage them on my internal LAN, I'd be OK with that.

 

[ch33zw1z]

I'm reasonable certain these cheap ChinaCams will never get a firmware update, so if setting to 0s will still allow me to view amd login/manage them on my internal LAN, I'd be OK with that.

Ok, just to be clear, setting them to 0's is on the camera itself

 

[Lost_in_the_HTTP]

^^ Yeah, I know.

It rejected 0.0.0.0 but accepted 1.0.0.1


Edit .... search tells me that's Cloudfare though.

 

[Tech Junky]

127.0.0.1

 

[Lost_in_the_HTTP]

Yeah, I wondered about that one too.

 

[Tech Junky]

Otherwise set it for some multicast IP 239.x.x.x or higher and it shouldn't be able to route anywhere. Or CGNAT.. there's tons of different options

Put them all on the same switch that's isolated and directly connect it to a PC using a different NIC.

 

[Lost_in_the_HTTP]

See, that's the thing, I don't know which devices need the router to work.

I have switches all over the house with devices like printers and other things that don't really need web access.

Everything goes back to a single dumb switch with one LAN cable connected to the router/modem. The PC I'm typing on and a couple of Android devices connect to the router/modem by wireless.

I guess I could pull that one LAN cable which should cut everything hardwired off the web. The NVR is hardwired, so it should still display the cameras I guess, but that would cut my viewing on this PC and the Androids.

Another though is that I have a spare router/modem or two. I guess I could connect the LAN to one of those and hit it by wireless when I want to view the cameras.

 

[Tech Junky]

NVR to PC and then you could still use RDP to access the feeds over WiFi.

 

[Tech Junky]

Outside of the cam / call home issue.....

I found a quirk after updating to Android 12 on my phone where it allows Chrome to bypass my static info completely to allow ads when they were being blocked with Pihole. This is a bit perplexing because all other apps block them properly as they did before. Seems Google put in a backdoor to allow traffic to bypass things in A12.

This is a bit perplexing as to how they're doing this w/o permission. I'm still digging into it though trying to figure out how they're circumventing explicit settings. Chrome didn't exhibit this behavior on A11 so, it's not Chrome doing it. At least I don't think so yet.

 

[Lost_in_the_HTTP]

Playing around just now ....

Unplugged that one LAN cable from all the switches to the router/modem.

Set one of the Android devices to access the spare router/modem SSID (not connected to the web) and I can view all of the cameras.

Set this PC to that spare router/Modem SSID and I can view the cameras but NOT browse the web.

Set this PC back to the main router/modem SSID and I can browse the web, but NOT view the cameras.

So, that part seems to be working OK.

I also have a hardwired LAN connection on this PC. Plugging that in gets me access to the cameras via hardwire and lets me browse the web via WiFi.

Something odd though. I don't know why, but none of these cameras will display on any browser other than IE. Some ActiveX thing I guess. When I open IE it runs really slow. It eventually works, but takes several seconds to display a camera. Once logged in, control is OK. It's only slow under this set up though. Under my normal setup where the hardwire and wireless are on the same router/modem, it works fine.