stun.syncthing.net doesn't resolve anymore

Syncthing’s STUN server used to have the domain of stun.syncthing.net, but that doesn’t resolve to anything anymore.

I shut it down because keeping it running wasn’t feasible under the circumstances.

Context: STUN server misuse

2 Likes

To add to what happened after; traffic kept growing and blocking didn’t help much since it’s UDP and clients keep trying. I think we were up to 200 Mbps of incoming UDP when I dropped the A record. So whatever we end up doing in the future, stun.syncthing.net is probably permanently burned as a name.

1 Like

A public STUN server with a fixed domain will always end up on lists like this. The only viable defense is to switch to a different domain from time to time.

Yeah… And I’m the first to recognise the irony/hypocrisy of on the one hand decrying non-Syncthing clients using our STUN server and on the other hand now just relying on other people’s public STUN servers…

A hardcoded auth credential might help a bit, at least as a clear official discouragement.

1 Like

STUN with authentication requires a bit of effort. This should be enough to discourage the laziest of abusers.

Showerthought: resolving the actual STUN server address via a DNS SRV record might also be an alternative. It’s three lines of code in go, but renders the server pretty much unusable for any browser WebRTC stuff

8 Likes

@calmh any plans to revive the STUN server in the near future?

I have a bit too much on plate already for work and personal reasons and this doesn’t feel like a priority. I can spin up a VM and point a couple of IP addresses to it if you want to do the needful and take it from there, though.

2 Likes

Feel free to postpone :slight_smile: