I am wondering what the best way to allow only traffic on port 123 (ntpd) so the camera are able to set their time using only a specific domain (pool.ntp.org). If a specific domain isn't possible, is the best strategy to run a ntpd on the router itself and let the cameras use that?
I would say so, if only for the fact that you don't even have to install an ntp server -- the NTP "client" in OpenWrt is already able to act as a server, activated by enable_server in the config. All you then have to do is open port 123 to the router, just as you did with 53, 67, and 68, and have the camera request time from the router's IP.