WSS Agent - IPv6 support
search cancel

WSS Agent - IPv6 support


Article ID: 236013


Updated On:


Cloud Secure Web Gateway - Cloud SWG


How does WSS Agent (WSSA) handle IPv6 traffic? Is there a way to allow IPv6 DNS response for specific domain or URL?  




The WSS Agent does not currently support IPv6 connections (WSS service does not currently support IPv6). A future update will provide support (no current ETA).

In networks where IPv6 is available, most clients issue both A (IPv4) and AAAA (IPv6) DNS queries.

If an IPv6 address is returned, the IPv6 traffic does not pass through WSS. This IPv6 passed-through traffic creates a potential security risk.

The WSS Agent mitigates this IPv6 bypass risk by blocking IPv6 traffic (by blocking IPv6 DNS results), which effectively steers all web transactions to IPv4.

WSSA intercepts AAAA (IPv6) DNS responses and returns an NXDOMAIN status code in place of the authoritative response. The response informs the operating system that no IPv6 addresses are available.

When WSSA is configured to block IPv6, the endpoint receives an NXDOMAIN code for any domains that return IPv6 addresses.

NOTE: For stronger security with WSSA, it is recommended that "Allow IPv6 traffic" be DISABLED.


When the "Allow IPv6 traffic" option is disabled (recommended) in the WSS Portal, the following scenarios result in dropped IPv6 traffic: 

  • A user enters an IPv6 address directly into the browser
  • Hostname entries are added to the hosts file that resolve to an IPv6 address
  • The use of a IPv6 DNS proxy or DNS-over-HTTPS (DoH)


How to allow IPv6 DNS lookup for specific domain or URL?

  • Administrator can allow IPv6 DNS lookup for specific domain by adding domain or hostname to WSSA bypass list.
    • Need to have WSSA version 9.5.3 or higher
    • Log in to Cloud SWG Portal > Connectivity > Bypassed Traffic - Add domain/url to allow IPv6



Additional Information

WSS: 'DNS_PROBE_FINISHED_NXDOMAIN' error when browsing websites