WSS Agent - IPv6 support
search cancel

WSS Agent - IPv6 support


Article ID: 236013


Updated On:


Cloud Secure Web Gateway - Cloud SWG


How does WSS Agent (WSSA) handle IPv6 traffic?


The WSS Agent does not currently support IPv6 connections (WSS service does not currently support IPv6). A future update will provide support (no current ETA).

In networks where IPv6 is available, most clients issue both A (IPv4) and AAAA (IPv6) DNS queries.

If an IPv6 address is returned, the IPv6 traffic does not pass through WSS. This IPv6 passed-through traffic creates a potential security risk.

The WSS Agent mitigates this IPv6 bypass risk by blocking IPv6 traffic (by blocking IPv6 DNS results), which effectively steers all web transactions to IPv4.

WSSA intercepts AAAA (IPv6) DNS responses and returns an NXDOMAIN status code in place of the authoritative response. The response informs the operating system that no IPv6 addresses are available.

When WSSA is configured to block IPv6, the endpoint receives an NXDOMAIN code for any domains that return IPv6 addresses.

NOTE: For stronger security with WSSA, it is recommended that "Allow IPv6 traffic" be DISABLED.


When the "Allow IPv6 traffic" option is disabled (recommended) in the WSS Portal, the following scenarios result in dropped IPv6 traffic: 

  • A user enters an IPv6 address directly into the browser
  • Hostname entries are added to the hosts file that resolve to an IPv6 address
  • The use of a IPv6 DNS proxy or DNS-over-HTTPS (DoH)


Additional Information

WSS: 'DNS_PROBE_FINISHED_NXDOMAIN' error when browsing websites