So I have stopped and disabled dnsmasq and yet still, everytime the device has internet (in my case a Ubiquiti AP AC LR) I find port 53 opens again regardless of weather dnsmasq is running or not.
I do not want this device to have the capability to do DNS queries. How can I CLOSE DNS port 53 on ALL interfaces?
On default OpenWrt install, dnsmasq is the sole service binding to port 53. If it is indeed stopped and disabled, nothing should bind to it anymore.
Also please define "open". Does it reply to DNS queries or is nmap reporting "filtered"?
Edit: hmm, you wrote "I do not want this device to have the capability to do DNS queries". Does that mean you don't want the device (OpenWrt) itself to be able to do DNS queries? In this case disabling dnsmasq is not needed. Just set option peerdns 0 on your WAN interface. This should prevent the system from acquiring a valid DNS server entry.
You do need to be more precise I'm afraid. What is "it"? The OpenWrt access point or the client device? Where do you run nmap? On OpenWrt or on the client device? Who should be unable to resolve DNS? OpenWrt or the client device?
I should answer using a laptop, that would be easier... But lets get a few things straight. DNS info gets pushed by DHCP server (or configured manually).
This means your DNS IP is given to the client. You can then decide if you want to run one yourself, or just use a public one from your ISO, google, cloudflare,...
A client will send requests to the DNS server it got from DHCP or manually entered. No binding/blabla required.
If you do not want a device to be able to do DNS lookups, dont give it a DNS server (explained above). If however, the client has its own dns config, remove that. If you cant, you can use openWRT to block those requests. If, however, that client uses DNS over HTTPS and/or TCP, you will have to block that too.
But then my more fundamental question: why would you want to (only?) Block DNS traffic?
Im trying to block the AP itself from perform DNS queries. Meaning that all DNS queries are handled by the appropriate DNS server, in this case my router.
Therefor, if someone tries to use my AP 172.16.101.3 as a DNS server, it will fail as the device is not capable of resolving DNS queries.