So I guess I answered my own question . tcpdump shows no out bound traffic from the phone to wan at the dns server address . The Luci connection list shows a connection to the wan dns server and a connection to the local dns server . So the wan dns server connection is just internal to my router which is funneling the traffic back to the local dns , right ?
It's hard to say without seeing your local network configuration, but would expect the phone to be sending DNS queries to your gateway ( router ) address, and the router querying external DNS and relaying back to your phone.
Moreover though if you are truly looking for control over DNS (including devices / apps that have inherent DoH ) you might consider a more comprehensive approach of installing / using a combination of https-dns-proxy (enabling the setting to hijack DNS) and BanIP ( adding the blocklist for external DoH servers.)
There is a specialized case of Destination NAT called redirection: it is a simple convenience which is exactly equivalent to doing DNAT to the address of the incoming interface.
So, your initial rule, was probably redirecting to some vlan3 local ip and probably your local DNS server is not configured to listen on that interface.
You can either bind your local dns server lo listen on vlan3 interface or manually specify a dest_ip on some interface your local DNS server is listening to.