Hi there.

stun.kedr.io:3478 is currently responding with faulty information: It advertises an OTHER-ADDRESS attribute containing the same IP address that was used to contact it. (The port is different, but that's not enough to avoid breaking things.)

This tricks clients that understand and use that attribute into thinking their NAT's filtering behavior is the most permissive possible (Endpoint-Independent Filtering) even if it actually is much more restrictive.

It also violates RFC 5780, which states, "OTHER-ADDRESS MUST NOT be inserted into a Binding Response unless the server has a second IP address."

Given that this is likely to undermine NAT traversal, I think it might be worth removing that server from the list for now, and maybe contacting the admins to see if they'll fix it.

(To be clear in light of the FAQ, the problem here isn't a lack of RFC 5780 support; that would be harmless.)

Thanks for submitting this. I've removed the host from the checks