diff --git a/src/agents/tools/web-fetch.ssrf.test.ts b/src/agents/tools/web-fetch.ssrf.test.ts
index c0489c9b5ba..92555d0a55d 100644
--- a/src/agents/tools/web-fetch.ssrf.test.ts
+++ b/src/agents/tools/web-fetch.ssrf.test.ts
@@ -125,6 +125,19 @@ describe("web_fetch SSRF protection", () => {
     expect(fetchSpy).toHaveBeenCalledTimes(1);
   });
 
+  it("allows RFC 2544 benchmark range IPs (198.18.0.0/15) used by DNS proxy tools", async () => {
+    lookupMock.mockResolvedValue([{ address: "198.18.1.5", family: 4 }]);
+
+    setMockFetch().mockResolvedValue(textResponse("ok"));
+    const tool = await createWebFetchToolForTest();
+
+    const result = await tool?.execute?.("call", { url: "https://example.com" });
+    expect(result?.details).toMatchObject({
+      status: 200,
+      extractor: "raw",
+    });
+  });
+
   it("allows public hosts", async () => {
     lookupMock.mockResolvedValue([{ address: "93.184.216.34", family: 4 }]);
 
diff --git a/src/agents/tools/web-fetch.ts b/src/agents/tools/web-fetch.ts
index 92f94bf3a28..4690965f5d1 100644
--- a/src/agents/tools/web-fetch.ts
+++ b/src/agents/tools/web-fetch.ts
@@ -539,6 +539,7 @@ async function runWebFetch(params: WebFetchRuntimeParams): Promise<Record<string
       url: params.url,
       maxRedirects: params.maxRedirects,
       timeoutSeconds: params.timeoutSeconds,
+      policy: { allowRfc2544BenchmarkRange: true },
       init: {
         headers: {
           Accept: "text/markdown, text/html;q=0.9, */*;q=0.1",