@wrtfan - Exactly as @darksky said, you are probably probing the LAN, as those ports are ssh, dns, and http (ssh and http are for you to be able to log in and configure your router, dns is a more-or-less universal thing to need).
Going one step further than @darksky, try probing your network from a device that is not connected to your network (go to work/school/library/friend, etc. or you can use your mobile phone with wifi disabled so that it uses cellular data). The reason this is important is that some of the port scanning websites will use an app embedded in the page that runs locally on your machine to do the probing, and therefore if it is running on a device from within the network, it may report LAN side open ports).
OpenWrt firewall is based on a zone model.
Zone assignment relies on the network interface, which receives/sends traffic.
So when you test open ports from LAN, it uses LAN-zone policy, and IP-address doesn't matter.
netstat -anl or the like doesn't show what the firewall allows, only what sockets are listening. It is not surprising that an application open a listener on all interfaces' IP addresses, or on the wildcard address. For many services, listening on all interfaces is the default configuration. In cases where the service should not be provided to a given topological domain, access to the listener can be blocked by the firewall.
Many applications allow the listeners to be specified in config. How this is done will vary by application and may not be available through LuCI, or even through the OpenWrt UCI configuration files.