I am running 1.20.2. on Linux, and I have Global Discovery disabled on all clients. Yet, the clients are making connections to discovery-3.syncthing.net and others following the naming pattern.
Why, and how can I stop these connections? I don’t see any need for them, and would rather not leak data.
Seems like you hit the nail on the head. I don’t know why I didn’t notice this! Great example of why reverse DNS is quite dangerous in security analysis…
I don’t know, mine doesn’t when I’ve disabled global discovery.
(It is also part of the default set of stun servers, that doc entry is slightly out of date, but the traffic you show isn’t STUN so that doesn’t matter here.)
Who runs these servers? If there is no obvious client-side place to look for why these servers may be contacted (I’ve changed the STUN set to my own STUN server now too), then maybe we could peak into the web server logs at a given point in time to find out what is being tried?
We do. They do not keep access logs, for a multitude of reasons. I suspect you simply haven’t disabled discovery lookups as much as you think you have.
I’m quite confident that Syncthing does not make global discovery requests when configured like that. I don’t know the source of the traffic you’re seeing.
I just tested it using the same config as posted above and I can concur: I do not see any (TLS) traffic to discovery when global discovery is set to different servers, or turned off. The STUN server contacted also appears to resolve differently to discovery.s.n, and yes its traffic patterns are quite different.
Unsure why my post suddenly disappeared, so here I go again: thanks to your patience and knowledge, I ended up correlating tcpdump with ss output, and found that there was another user running Syncthing, with global discovery turned on. Doh!