why syncthing is discovering a lot of IPs outside my LAN?

I need to understand why this:

Mar 21 18:47:36 dnsmasq[22586]: query[A] discoverysyncthingnet from 192.168.129.254 Mar 21 18:47:36 dnsmasq[22586]: forwarded discoverysyncthingnet to 208.67.222.222 Mar 21 18:47:36 dnsmasq[22586]: query[AAAA] discoverysyncthingnet from 192.168.129.254 Mar 21 18:47:36 dnsmasq[22586]: forwarded discoverysyncthingnet to 208.67.222.222 Mar 21 18:47:36 dnsmasq[22586]: dnssec-query[DS] syncthing.net to 208.67.222.222 Mar 21 18:47:36 dnsmasq[22586]: reply syncthing.net is no DS Mar 21 18:47:36 dnsmasq[22586]: validation result is INSECURE Mar 21 18:47:36 dnsmasq[22586]: reply discoverysyncthingnet is 198.211.120.59 Mar 21 18:47:36 dnsmasq[22586]: reply discoverysyncthingnet is 139.59.84.212 Mar 21 18:47:36 dnsmasq[22586]: reply discoverysyncthingnet is 159.89.86.206 Mar 21 18:47:36 dnsmasq[22586]: validation result is INSECURE Mar 21 18:47:36 dnsmasq[22586]: reply discoverysyncthingnet is 2a03:b0c0:0:1010::bb:4001 Mar 21 18:47:36 dnsmasq[22586]: reply discoverysyncthingnet is 2400:6180:100:d0::741:a001 Mar 21 18:47:36 dnsmasq[22586]: reply discoverysyncthingnet is 2604:a880:400:d0::185c:f001

Please check the FAQ.

FAQ — Syncthing documentation Why does Syncthing Connect to this Unknown/Suspicious address?

Not just relays, but Syncthing also needs to connect to the discovery servers to find the devices you have configured it to connect to.

None of this is insecure, but while you can restrict what it tries to contact (uncheck “Global Discovery” in Settings → Connections), it will also effectively disable the ability to auto-discover a peer you have configured. If you only have fixed IP addresses, that is not hard to work around, but if your peers have dynamic addresses (mobile devices for example), you will find it difficult and frustrating to make Syncthing work properly.