Phantom connections?

I have an recursive caching DNS server on my LAN used by my Openwrt as it's DNS server. My LAN clients all point to my Openwrt dnsmasq as their DNS server.

To prevent rogue DNS queries from android devices, I have some iptables rules setup to DNAT all outgoing DNS queries not coming from my DNS server to the Openwrt's LAN interface. They're clearly working as you can see from the packet counters below.

Chain PREROUTING (policy ACCEPT 615K packets, 77M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 632K   78M prerouting_rule  all  --  *      *              /* !fw3: Custom prerouting rule chain */

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
10704  642K RETURN     tcp  --  br-lan *       <mydnsserver>            tcp dpt:53
 249K   23M RETURN     udp  --  br-lan *       <mydnsserver>            udp dpt:53
16943 1135K DNAT       udp  --  br-lan *           !<openwrt>            udp dpt:53 to:<openwrt>:53
    0     0 DNAT       tcp  --  br-lan *           !<openwrt>            tcp dpt:53 to:<openwrt>:53

I also have softflowd running on Openwrt and uploading everything to an ELK stack, where I use a Kibana dashboard known as Elastiflow to visualize the data.

The softflow daemon hangs off the br-lan interface, not the wan interface, so that proper source and destination addresses show up in the netflow records, otherwise it just shows the firewall WAN IP, which isn't very helpful when trying to identify which clients are doing what.

Looking at the netflow data, it shows flow records for outgoing dns queries from multiple LAN clients to Google DNS servers, among others, which theoretically should not be possible with the above iptables rules in place.

Is it safe to assume that this is precisely because the softflow daemon is hanging off the br-lan device and seeing the packets before their IP address is NAT'ed and thus reporting the flow as being between the client and Google when in reality it's actually between the client and my Openwrt due to the DNAT rules?

Yes, that is safe to assume - because it is correct. The softflowd merely sees ALL flows RX by the interface.

It is helpful to see any traffic you're dropping or successfully in this case on LAN! :wink:

:warning: should notice that there's no flow in the opposite direction (i.e. no flow noting the reply to the client from the server).