DNS resolve WDS client -> WDS AP issue

my setup is WDS client connected to WDS AP. WDS client DNS forwardings ip address is set to WDS AP.

SSH into WDS client. Ping hostname that is listed in WDS AP active leases. The result is ping: send to: Permission Denied. I tried playing with most of the DNS config options on the client and AP side with no success.

Is this a firewall issue or a config issue?

if I SSH into the WDS client I can ping successfully any FQDN on the internet. I just cannot query the DNS active leases on WDS AP.

Does https://www.google.com/search?q="ping%3A+sendto%3A+Permission+Denied" offer any pointers?

For now I have overcome this by installing NFS and exporting the /tmp/ folder on the AP then mounting /tmp/ on the CLIENT and adding the dhcp.leases file into the DNS section of the client. Not sure of the security implications or if this is the actual and correct way to do it. I would still prefer DNSmasq to serve the dhcp.leases file if possible.

Unresolved for now.

The default configuration is rebind protection on, which blocks the client from resolving local names from another local server.

I had anticipated this and configured the lan interface on CLIENT to directly query the DNS on AP. The result is the same which is unable to resolve addresses in the dhcp.leases file on the AP for queries from the CLIENT.

my apologies...you are correct with the rebind protection on the CLIENT.

devices connecting to the CLIENT can now resolve the dhcp.leases file on the AP.

I am still having trouble though resolving the dhcp.leases file on the AP when I SSH into the CLIENT. It know it does seem odd that devices that connect to the wireless on the CLIENT can ping hostnames in the dhcp.leases file on the AP but when I SSH into the CLIENT and ping hostnames listed in the dhcp.leases file it fails. BTW: it now fails with ping: bad address