Syncthing’s STUN server used to have the domain of stun.syncthing.net, but that doesn’t resolve to anything anymore.
I shut it down because keeping it running wasn’t feasible under the circumstances.
Context: STUN server misuse
To add to what happened after; traffic kept growing and blocking didn’t help much since it’s UDP and clients keep trying. I think we were up to 200 Mbps of incoming UDP when I dropped the A record. So whatever we end up doing in the future, stun.syncthing.net
is probably permanently burned as a name.
A public STUN server with a fixed domain will always end up on lists like this. The only viable defense is to switch to a different domain from time to time.
Yeah… And I’m the first to recognise the irony/hypocrisy of on the one hand decrying non-Syncthing clients using our STUN server and on the other hand now just relying on other people’s public STUN servers…
A hardcoded auth credential might help a bit, at least as a clear official discouragement.
STUN with authentication requires a bit of effort. This should be enough to discourage the laziest of abusers.
Showerthought: resolving the actual STUN server address via a DNS SRV record might also be an alternative. It’s three lines of code in go, but renders the server pretty much unusable for any browser WebRTC stuff
@calmh any plans to revive the STUN server in the near future?
I have a bit too much on plate already for work and personal reasons and this doesn’t feel like a priority. I can spin up a VM and point a couple of IP addresses to it if you want to do the needful and take it from there, though.
Feel free to postpone