If you can't identify the device and either confirm that it is safe or shut it down, it would be safest to make a firewall rule to block it from everything.
You have rejected forwarding. However getting an address by dhcp or querying the dns server is considered input, that means from lan without destination (or the device).
You'll have to wait for the lease to expire. Or find the device and reboot it
@trendy Thanks for the help.
Actually, I remembered that I could go into /tmp/dhcp.leases and delete the row, save the file, then select 'Reset' from the DHCP page in Luci and the address disappears from the list.
It would be a nice addition to Luci if we could select 'release', like we can for wireless connections to release the DHCP address.