Strange DROP_FORWARD messages within same segment

datamorgana · 22 November 2020 19:39

Hi there,

since I’m forced by my employer to use an out-of-the-box Android 10 phone for work (i.e. no LineageOS, no data protection etc.) I notice the following messages in my firewall log (throughout the day every 20 minutes, 8 messages):

Nov 22 20:18:13 ipfire kernel: DROP_FORWARD IN=blue0 OUT=blue0 MAC=yy:yy:yy:yy:yy:yy:xx:xx:xx:xx:xx:xx:08:00 SRC=192.168.1.118 DST=192.168.1.2 LEN=88 TOS=0x00 PREC=0x00 TTL=253 ID=24137 DF PROTO=UDP SPT=33270 DPT=53 LEN=68 
Nov 22 20:18:18 ipfire kernel: DROP_FORWARD IN=blue0 OUT=blue0 MAC=yy:yy:yy:yy:yy:yy:xx:xx:xx:xx:xx:xx:08:00 SRC=192.168.1.118 DST=192.168.1.2 LEN=88 TOS=0x00 PREC=0x00 TTL=253 ID=24138 DF PROTO=UDP SPT=33270 DPT=53 LEN=68

Host 192.168.1.118 is the phone in question, 192.168.1.2 is the internal DNS server running pi-hole, MAC addresses have been obfuscated.

Only this and another OOB Android phone are triggering such log entries. I can’t imagine why one would forward UDP packets to port 53 within the same network segment 192.168.1.0/24 and being dropped by the firewall. What is going on here?

Thanks!

pmueller · 26 November 2020 09:14

Hi,

sorry for replying late.

I assume the DNS server is located in the same broadcast domain and network zone, isn’t it?

Thanks, and best regards,
Peter Müller

datamorgana · 26 November 2020 09:15

Right, they are both in “blue”, i.e. 192.168.1.0/24 in my case. And no other host but 2 OOB Android phones is generating these DROP_FORWARD entries although all hosts are using the same DNS (Pihole) server 192.168.1.2 within their broadcast domain.