diff --git a/share/config_global.toml b/share/config_global.toml
index 405157c5f..40b71ab19 100644
--- a/share/config_global.toml
+++ b/share/config_global.toml
@@ -163,6 +163,9 @@ name = "Other"
 
     [misc.network]
     name = "Network"
-        [misc.network.network_ipv6_only]
-        type = "boolean"
-        default = false
+        [misc.network.dns_exposure]
+        type = "select"
+        choices.both = "Both"
+        choices.ipv4 = "IPv4 Only"
+        choices.ipv6 = "IPv6 Only"
+        default = "both"
diff --git a/src/diagnosers/10-ip.py b/src/diagnosers/10-ip.py
index 098bd569c..7de462334 100644
--- a/src/diagnosers/10-ip.py
+++ b/src/diagnosers/10-ip.py
@@ -122,7 +122,7 @@ class MyDiagnoser(Diagnoser):
         yield dict(
             meta={"test": "ipv4"},
             data={"global": ipv4, "local": get_local_ip("ipv4")},
-            status="SUCCESS" if ipv4 else "WARNING" if settings_get("network_ipv6_only") else "ERROR",
+            status="SUCCESS" if ipv4 else "ERROR" if settings_get("dns_exposure") == "ipv4" else "WARNING",
             summary="diagnosis_ip_connected_ipv4" if ipv4 else "diagnosis_ip_no_ipv4",
             details=["diagnosis_ip_global", "diagnosis_ip_local"] if ipv4 else None,
         )
@@ -130,7 +130,7 @@ class MyDiagnoser(Diagnoser):
         yield dict(
             meta={"test": "ipv6"},
             data={"global": ipv6, "local": get_local_ip("ipv6")},
-            status="SUCCESS" if ipv6 else "ERROR" if settings_get("network_ipv6_only") else "WARNING",
+            status="SUCCESS" if ipv6 else "ERROR" if settings_get("dns_exposure") == "ipv6" else "WARNING",
             summary="diagnosis_ip_connected_ipv6" if ipv6 else "diagnosis_ip_no_ipv6",
             details=["diagnosis_ip_global", "diagnosis_ip_local"]
             if ipv6
diff --git a/src/diagnosers/14-ports.py b/src/diagnosers/14-ports.py
index 0ca39a42c..2d7eee717 100644
--- a/src/diagnosers/14-ports.py
+++ b/src/diagnosers/14-ports.py
@@ -47,7 +47,7 @@ class MyDiagnoser(Diagnoser):
 
         ipversions = []
         ipv4 = Diagnoser.get_cached_report("ip", item={"test": "ipv4"}) or {}
-        if ipv4.get("status") == "SUCCESS" and not settings_get("network_ipv6_only"):
+        if ipv4.get("status") == "SUCCESS" or not settings_get("dns_exposure") == "ipv6":
             ipversions.append(4)
 
         # To be discussed: we could also make this check dependent on the
@@ -121,7 +121,7 @@ class MyDiagnoser(Diagnoser):
                         for record in dnsrecords.get("items", [])
                     )
 
-                if failed == 4 and not settings_get("network_ipv6_only") or ipv6_is_important():
+                if failed == 4 and not settings_get("dns_exposure") == "ipv6" or ipv6_is_important():
                     yield dict(
                         meta={"port": port},
                         data={
diff --git a/src/diagnosers/21-web.py b/src/diagnosers/21-web.py
index bdba89f78..eaac0d25f 100644
--- a/src/diagnosers/21-web.py
+++ b/src/diagnosers/21-web.py
@@ -77,7 +77,7 @@ class MyDiagnoser(Diagnoser):
 
         ipversions = []
         ipv4 = Diagnoser.get_cached_report("ip", item={"test": "ipv4"}) or {}
-        if ipv4.get("status") == "SUCCESS" and not settings_get("network_ipv6_only"):
+        if ipv4.get("status") == "SUCCESS" and not settings_get("dns_exposure") == "ipv6":
             ipversions.append(4)
 
         # To be discussed: we could also make this check dependent on the
@@ -97,7 +97,7 @@ class MyDiagnoser(Diagnoser):
         # "curl --head the.global.ip" will simply timeout...
         if self.do_hairpinning_test:
             global_ipv4 = ipv4.get("data", {}).get("global", None)
-            if global_ipv4 and not settings_get("network_ipv6_only"):
+            if global_ipv4 and settings_get("dns_exposure") != "ipv6":
                 try:
                     requests.head("http://" + global_ipv4, timeout=5)
                 except requests.exceptions.Timeout:
@@ -148,7 +148,7 @@ class MyDiagnoser(Diagnoser):
             if all(
                 results[ipversion][domain]["status"] == "ok" for ipversion in ipversions
             ):
-                if 4 in ipversions and not settings_get("network_ipv6_only"):
+                if 4 in ipversions and settings_get("dns_exposure") != "ipv6":
                     self.do_hairpinning_test = True
                 yield dict(
                     meta={"domain": domain},
@@ -186,7 +186,7 @@ class MyDiagnoser(Diagnoser):
                     )
                     AAAA_status = dnsrecords.get("data", {}).get("AAAA:@")
 
-                    return AAAA_status in ["OK", "WRONG"] or settings_get("network_ipv6_only")
+                    return AAAA_status in ["OK", "WRONG"] or settings_get("dns_exposure") != "ipv4"
 
                 if failed == 4 or ipv6_is_important_for_this_domain():
                     yield dict(
diff --git a/src/diagnosers/24-mail.py b/src/diagnosers/24-mail.py
index 536f870b3..43273aebf 100644
--- a/src/diagnosers/24-mail.py
+++ b/src/diagnosers/24-mail.py
@@ -302,13 +302,13 @@ class MyDiagnoser(Diagnoser):
         outgoing_ipversions = []
         outgoing_ips = []
         ipv4 = Diagnoser.get_cached_report("ip", {"test": "ipv4"}) or {}
-        if ipv4.get("status") == "SUCCESS" and not settings_get("network_ipv6_only"):
+        if ipv4.get("status") == "SUCCESS" and settings_get("dns_exposure") != "ipv6":
             outgoing_ipversions.append(4)
             global_ipv4 = ipv4.get("data", {}).get("global", {})
             if global_ipv4:
                 outgoing_ips.append(global_ipv4)
 
-        if settings_get("email.smtp.smtp_allow_ipv6") or settings_get("network_ipv6_only"):
+        if settings_get("email.smtp.smtp_allow_ipv6") or settings_get("dns_exposure") != "ipv4":
             ipv6 = Diagnoser.get_cached_report("ip", {"test": "ipv6"}) or {}
             if ipv6.get("status") == "SUCCESS":
                 outgoing_ipversions.append(6)
diff --git a/src/dns.py b/src/dns.py
index cc7ebd7e7..31c91d590 100644
--- a/src/dns.py
+++ b/src/dns.py
@@ -186,7 +186,7 @@ def _build_dns_conf(base_domain, include_empty_AAAA_if_no_ipv6=False):
         ###########################
         # Basic ipv4/ipv6 records #
         ###########################
-        if ipv4 and not settings_get("network_ipv6_only"):
+        if ipv4 and not settings_get("dns_exposure") == "ipv6":
             basic.append([basename, ttl, "A", ipv4])
 
         if ipv6:
@@ -241,7 +241,7 @@ def _build_dns_conf(base_domain, include_empty_AAAA_if_no_ipv6=False):
 
         # Only recommend wildcard and CAA for the top level
         if domain == base_domain:
-            if ipv4 and not settings_get("network_ipv6_only"):
+            if ipv4 and settings_get("dns_exposure") != "ipv6":
                 extra.append([f"*{suffix}", ttl, "A", ipv4])
 
             if ipv6:
diff --git a/src/settings.py b/src/settings.py
index f52574785..96f11caeb 100644
--- a/src/settings.py
+++ b/src/settings.py
@@ -310,7 +310,7 @@ def regen_ssowatconf(setting_name, old_value, new_value):
 @post_change_hook("nginx_compatibility")
 @post_change_hook("webadmin_allowlist_enabled")
 @post_change_hook("webadmin_allowlist")
-@post_change_hook("network_ipv6_only")
+@post_change_hook("dns_exposure")
 def reconfigure_nginx(setting_name, old_value, new_value):
     if old_value != new_value:
         regen_conf(names=["nginx"])
@@ -342,7 +342,7 @@ def reconfigure_ssh_and_fail2ban(setting_name, old_value, new_value):
 @post_change_hook("smtp_relay_user")
 @post_change_hook("smtp_relay_password")
 @post_change_hook("postfix_compatibility")
-@post_change_hook("network_ipv6_only")
+@post_change_hook("dns_exposure")
 def reconfigure_postfix(setting_name, old_value, new_value):
     if old_value != new_value:
         regen_conf(names=["postfix"])