The exposed port is being documented in an OCP docs PR (link below). When the PR is merged, I recommend adding a note about the exposed port to the Overview of IPI install on bare metal because this behavior is unexpected. The note should mention the exposed port and link to the DNS forwarding module.

Customer is using OCP 4.10.63 and the cluster has been deployed using IPI on BM having routable IPS. The issue is CoreDNS port (53) is exposed in the node level and this will be accessible from other routable networks.
 
CoreDNS service ports are getting mapped to the host. CoreDNS port (53) is exposed at the node level via coredns pods in openshift-kni-infra namespace by design in setups like these. It will be of great help if we can get this documented in our official documentation on priority.
 
[admin@wtc1coam1prov ~]$ oc get pods -A | grep coredns
openshift-kni-infra       coredns-wtc1coam1cmpt1.wtc1coam1.eng.mobilephone.net       2/2        Running      16      158d
openshift-kni-infra       coredns-wtc1coam1cmpt2.wtc1coam1.eng.mobilephone.net       2/2        Running      16      158d

[core@slabnode1057 ~]$ sudo netstat -tunlp | grep 53
tcp6 0 0 :::53597 :::* LISTEN 5248/rpc.statd
tcp6 0 0 :::9537 :::* LISTEN 5605/crio
tcp6 0 0 :::53 :::* LISTEN 7067/coredns
udp6 0 0 :::53 :::* 7067/coredns