If ZS acts as DNS server for wifi clients, (and then , they have the ip of ZS as def-gw as well as dns) shouldn’t be enough add a couple of rules ? In FORWARD chain, 1st and 2nd place
1 ETH00 * DROP udp opt -- in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:53
2 ETH00 * DROP udp opt -- in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0 udp spt:53
Edit … you can also disable the free DNS service for CP users, this can be done under ‘Users’ ‘Captive Portal’ ‘Free Authorized Services’ , remove ‘ ‘Domain Name System’.