When I run netstat -W -A inet -p, I see
[myhost]:57234 24hour-carfinance.org:22067 ESTABLISHED 27531/syncthing
Anyone knows why syncthing connects to a server called 24hour-carfinance.org? What is going on?
IP address: 220.127.116.11. Whois says it’s in Boulder, CO, USA
I’m using v0.14.7.
You are probably connected via relay, which can be hosted by anyone.
Thanks for your quick reply.
I am using relays.
When syncthing starts I see
Joined relay relay://18.104.22.168:22067
And this IP shows up twice in my netstat output, but also 24hour-carfinance.org (once). Is this normal?
That doesn’t even look like a domain that exists, see what that domain resolves to locally, and I suspect it will be that IP address.
What do you mean by resolve to locally?
It’s not in my network for sure.
When I disabled relaying, that server doesn’t show up anymore.
readable addresses always point to IP addresses, do
dig +short 24hour-carfinance.org and it will give you the ip address for the given name.
This is what I got:
$ dig +short 24hour-carfinance.org
That doesn’t look like one of the public relays, is that perhaps one of your peer public IPs?
No, two of my computers are in the same LAN at home and another is at an IP that I know very well. This strange IP is located in Boulder, very far from me.
My other remote computer also connects to the strange IP.
When I start syncthing it says:
Joined relay relay://22.214.171.124:22067
But the strange connection is to 24hour-carfinance.org:22067, 126.96.36.199. It’s not listed at http://relays.syncthing.net/
Is this list up-to-date?
So the DNS name doesn’t even resolve for me, there is something funky with your DNS to start with, so we can’t be for sure that the IP it’s showing is actually correct.
Also, it might connect to a different relay every time it starts so verify that it’s still the same relay you are joining.
My computer at work, which is at a different network, also connects to this server, accoring to netstat -W -A inet -p
I restarted syncthing at my work machine and now it connects to:
relay.ubiquitous.work:https ESTABLISHED 27071/syncthing
24hour-carfinance.org:22067 ESTABLISHED 27071/syncthing
The strange server seems to always connect.
Pinging 24hour-carfinance.org from the work computer fails, though, like for you. At home I have AT&T internet and ping shows the IP address.
So for me the dns name doesn’t even resolve, so I can’t say much as I said.
Can you download the same release from github and check the md5 sum to make sure you don’t have some malicious binary?
The port however implies relay traffic, sadly I can’t really help you debug anything more without actually having access to inspect traffic etc, etc.
Turn off relays, see if it still tries to connect?
DNS resolves for me, but slightly diff IP’s than OP gets. It’s probably just doing some anycast or geocasting tricks on the DNS (which is common for larger ISP’s and web hosting companies to do).
I’m almost positive this is just relaying… especially with the port being 22067.
I turned off all my syncthings since yesterday and turned on again now. I don’t see that strange server anymore, so it seems it was a legit relay.
I was spooked by the weird name.
Thanks everyone for your help and good job on syncthing!
In DNS it’s possible for the Netblock owner to specify a PTR record this is a reverse DNS lookup that means when you query a DNS server with an IP address an domain name is returned.
It’s possible the IP belonged to a connection associated with 24hour-carfinance.org at some-point in the past and no longer is, but the owner of the Netblock (Usually the ISP) hasn’t bothered to update/reset the PTR (RDNS) record to reflect that it no longer anything to do with that domain/customer.
I’ve seen that a few times with providers that allow you to change the RDNS entry to something custom. Since it doesn’t effect much (other than maybe mail delivery) it’s possible the new user hasn’t noticed or can’t be bothered to do anything about it.