CARP IP is in backup state however it is still answering queries on other VLANs

  • Hello. On my network I use a CARP IP for DNS redundancy. My DNS server is the primary and if that goes down pfSense will takeover the IP and answer requests with Unbound. This worked perfectly, until I split my network into VLANs.

    The DNS server is on VLAN20 so that is what I set the interface for on the CARP config on pfSense. The negotiation of master/backup still seems to work perfect with pfSense taking the backup state. And if I run dig from another device in VLAN20, the proper DNS server responds.

    The problem is if I try running dig from for example, VLAN30 (firewall is configured to allow connections from VLAN30 to VLAN20), the router's unbound server answers the query.

    Did I configure something wrong or is there a bug somewhere? Is this intended behavior? The IP is in backup so I don't see why it's responding at all, regardless of the interface.