Network Mode: Access Point: still DNS proxy?

After changing my GL.iNet White (GL-AR150 with firmware 3.201-release) into the mode ‘Cable LAN’ via the Web interface → More → Network Mode: Access Point, I still see dnsmasq be offered on all interfaces, even public ones. I checked this with netstat -tulpen on the SSH interface.

@GL.iNet, is it possible to disable that in the network mode Access Point? Or, if dnsmasq is required internally, restrict it to the localhost interfaces? Currently, an attacker on the network could use that DNS proxy to cloak himself, because services exist which allow surfing via DNS.

OK. Understood. Let me check with developers.

Jepp, just change from ANYHOST ( 0.0.0.0 and :: ) to LOCALHOST ( 127.0.0.1 and ::1 ) in mode Access Point. And when I change back to mode Router, change to ANYHOST again.

Adding

listen-address=::1,127.0.0.1

to the file /etc/dnsmasq.conf did the trick. With that, the DNS proxy listens not globally anymore but just locally. Until now, I found no way to do this via UCI.

Any response? Without that trick above, I am having a so called Open DNS Resolver. Could get a real pain not only for others but also for myself, because in a travel scenario I might be in an untrusted network. If each client is isolated, an attacker could browse† via my Open DNS Resolver hiding himself behind my GL.iNet access point.

† There exist HTTP over SSH over DNS services, called DNS Tunneling.