I have created a "guest" firewall zone that I have associated with my Guest WiFi acording to some (ancient?) guide I found on the old OpenWRT site.
Guest network is on subnet 192.168.3.x and trusted stuff is on 192.168.0.x.
Everything works fine and I cannot ping stuff on 192.168.0.x from 192.168.3.x guest zone.
But then I tried a nmap port scan from my "isolated" guest zone and it says that port 53 is open on every active device in trusted zone.
So basically, a guest WiFi client having IP 192.168.3.100 and running nmap says it found port 53 open on my PC on 192.168.0.100 and can resolve its name. (it cannot do much else though)
I suppose this is some DNS configuration that I missed. How do I prevent my DNS from "leaking" information on what devices are available on my other (trusted) subnet?
Thanks.
P.S. I also have Adblock installed on the router which does some port forwarding on port 53. Can this be the issue?
Likely it's the Adblock rules. My guess is that it redirects dns queries to local OpenWrt box and blocking ads by blocking their domain name resolution. Maybe editing the "From any host" to "From trusted zone" can verify if it is the case.
Unfortunately, it is not the case. I tried disabling the top two rules and DNS is still able to resolve addreses in trusted zone Can I somehow force DNS to "forget" everything in 192.168.x.x subnet?