i am not blaming anything, but this is not good at all.
Here is a firm question then.
How can I setup in Mikrotik that one particular host (for eg the NVR) can only reach an IP or a DNS name (IP range) ?
This is very easy to setup in Sophos firewall, but I am not familirar much with Mikrotik.
So, If I could do this with Mikrotik, then the NVR could only reach the Camera vendor Cloud and they could not use it for DDoS stuff.
Is there a instruction or wiki on this? Again, I just want to secure this great little toy, so at least the Mikrotik users wont be effected next time.
In simple terms, what you need is to setup the firewall to accept all you want to pass through and drop all others. You can modify this and use as follows. Note that the accept rules must come before the drop rule in that sequence:
/ip firewall filter
add action=accept chain=forward dst-address=y.y.y.y src-address=x.x.x.x
add action=drop chain=forward src-address=x.x.x.x
Where y.y.y.y is the IP corresponding to the DNS name. x.x.x.x is the IP of your NVR.