/ Docs / ShadowScale FAQ

ShadowScale FAQ



Recommended settings

In China please use the following settings:

  • Smart Routing: enabled
  • Secure DNS: enabled
  • Proxy Boost: enabled
  • DNS Caching: disabled

Recommended servers

We recommend you select a server on the US West Coast. For example: Los Angeles, Fremont, Silicon Valley, Seattle, etc.

While servers in Asia are physically nearer, intra-Asia connections more often suffer from congestion and other issues.

Server List

What profile type is used?

Shadowscale uses an iOS always-on profile. This minimizes the risk of traffic leaving your device without VPX encryption.

Do server IP addresses get refreshed daily?

Try it and find out. We continuously adapt to new blocking rules. Replacing server IP addresses is one of many strategies we use when needed.

Does the server list refresh in the background?

Shadowscale will try to refresh the server list periodically, even when not running. Whether this succeeds depend on iOS.

When you do not use Shadowscale for a while, iOS may decide to delay the background refreshes until you start Shadowscale again.


Does the DNS leak when Secure DNS is disabled?

With Secure DNS enabled: DNS leaks are prevent, regardless of other settings.

With Secure DNS disabled, it depends:

  • Apps that rely on iOS for DNS resolution:
    • Smart Routing enabled: DNS will leak.
    • Smart Routing disabled: DNS will not leak.
  • Apps that do their own DNS resolution will always leak.

Does Secure DNS use HTTPS/TLS/QUIC?

When Secure DNS is enabled, all DNS requests are tunneled through the VPX to our own DNS server. The VPX uses TLS.

Can I configure a custom DNS?

No, this is not possible.

Are there side-effects to enabling the DNS Cache?

DNS caching can interfere with Content Distribution Networks.

We recommend you disable DNS caching, unless you have a very poor connection.


Does Shadowscale block UDP?

It depends:

  • With Smart Routing enabled: UDP destined for China is allowed. All other UDP is blocked.
  • With Smart Routing disabled: all UDP is blocked.

Does Shadowscale block QUIC?

Yes. QUIC is UDP. See above.


Does Shadowscale use IPv6 for the VPX connection?

When you enable IPv6 support on our website, Shadowscale will use IPv6 where available.

Does Shadowscale relay IPv6 traffic?

Shadowscale supports relaying IPv6 connections when the VPX server has IPv6 connectivity.

Note: when using Proxy Boost the choice to use IPv4 or IPv6 is made by the VPX server.

Leak Prevention

Does traffic leak when the server list updates?

After the server list updates, the app will re-connect to the VPX server.

It's theoretically possible that an app initiates a connection when during the re-connect. Such connections are immediately killed upon the re-connect completing and unlikely to transmit any identifiable data.

If you have a very sensitive app, and want to be 100% sure there is no leak, we recommend you disable the Background App Refresh permission for that app, which will prevent it from leaking.

Are all connections forced to use the VPX?

This depends on your Smart Routing setting:

  • Smart Routing enabled: traffic destined for Chinese websites will bypass the VPX connection. This makes connecting to Chinese websites faster and, if you are in China, ensures those websites show you the local version.

  • Smart Routing disabled: all traffic, including Chinese websites, go through the VPX. Note: if you are in China, this makes your VPX connection more suspectible to blocking.


What does enabling Proxy Boost do?

Shadowscale has two ways to redirect traffic to the VPX:

  1. Network device interception.
  2. iOS proxy settings (Proxy Boost).

Proxy Boost configures a local proxy server on your device. Apps that honor the iOS proxy settings will automatically use this proxy.

The proxy method uses less memory, allowing Shadowscale to operate more efficiently and support a larger number of connections.