A summary of what you found would be enough but if want to IM me a wireshark trace or stick it someplace I can get it, I can take a look.
Running pihole on your LAN will show what’s happening re: the DNS lookup issue. You might see thousands of attempts per day from one camera. Pretty annoying.
I’d expect you see a lot of DNS lookup attempts that lead back to the vendor in China. Hopefully you don’t see it trying to open any connections to the vendor if you’ve blocked it from accessing the Internet outbound (likely it wouldn’t try until you let the DNS resolve, even if you do that only one time as a test).
My Amcrest and my Foscam knockoff both basically drive themselves crazy trying to do DNS lookups so they can then phone home, presumably for the mobile app remote access to the camera which is the scary stuff. For Amcrest and clones, there is no way to turn that behavior off.
Anything Dahua or HikVision or the like do the same thing. I have not found any model camera that is network capable that does not do this.
The pattern is:
- the firmware has hardcoded FQDN in it that it tries to reach
- it will do DNS lookups til it succeeds
- it will then open connections to the vendor site (presumably) so the mobile app will work
I still run my (US) Amcrest on the LAN as a feed for zoneminder running in a Docker container, but I block it from getting out of the LAN completely, or at least I ‘think’ I still block it. Maybe I need another test too. A power reset on the camera will definitely cause it to start over in whatever it does…
(note - this is similar to what WF does on the Hub looking for time services and connecting to the WF servers, except we trust the WF guys a bit more)