I have created a "guest" firewall zone that I have associated with my Guest WiFi acording to some (ancient?) guide I found on the old OpenWRT site.
Guest network is on subnet 192.168.3.x and trusted stuff is on 192.168.0.x.
Everything works fine and I cannot ping stuff on 192.168.0.x from 192.168.3.x guest zone.
But then I tried a nmap port scan from my "isolated" guest zone and it says that port 53 is open on every active device in trusted zone.
So basically, a guest WiFi client having IP 192.168.3.100 and running nmap says it found port 53 open on my PC on 192.168.0.100 and can resolve its name. (it cannot do much else though)
I suppose this is some DNS configuration that I missed. How do I prevent my DNS from "leaking" information on what devices are available on my other (trusted) subnet?
Thanks.
P.S. I also have Adblock installed on the router which does some port forwarding on port 53. Can this be the issue?
Please post here the output of the following command, copy and paste the whole block:
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c ; \
ip -4 addr ; ip -4 ro ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
Please use "Preformatted text </>" for logs, scripts, configs and general console output.
Remove any sensitive data from the output, like passwords, wifi keys, etc
Likely it's the Adblock rules. My guess is that it redirects dns queries to local OpenWrt box and blocking ads by blocking their domain name resolution. Maybe editing the "From any host" to "From trusted zone" can verify if it is the case.
Unfortunately, it is not the case. I tried disabling the top two rules and DNS is still able to resolve addreses in trusted zone Can I somehow force DNS to "forget" everything in 192.168.x.x subnet?
Can I somehow force DNS to "forget" everything in 192.168.x.x subnet?