How to keep your ISP’s nose out of your browser history with encrypted DNS | Ars Technica

Source: How to keep your ISP’s nose out of your browser history with encrypted DNS | Ars Technica

Using Cloudflare’s 1.1.1.1, other DNS services still require some command-line know-how.

Encrypting DNS traffic between your device and a “privacy-focused” provider can keep someone from spying on where your browser is pointed or using DNS attacks to send you somewhere else.

The death of network neutrality and the loosening of regulations on how Internet providers handle customers’ network traffic have raised many concerns over privacy. Internet providers (and others watching traffic as it passes over the Internet) have long had a tool that allows them to monitor individuals’ Internet habits with ease: their Domain Name System (DNS) servers. And if they haven’t been cashing in on that data already (or using it to change how you see the Internet), they likely soon will.

DNS services are the phone books of the Internet, providing the actual Internet Protocol (IP) network address associated with websites’ and other Internet services’ host and domain names. They turn arstechnica.com into 50.31.169.131, for example. Your Internet provider offers up DNS as part of your service, but your provider could also log your DNS traffic—in essence, recording your entire browsing history.

“Open” DNS services provide a way of bypassing ISPs’ services for reasons of privacy and security—and in some places, evading content filtering, surveillance, and censorship. And on April 1 (not a joke), Cloudflare launched its own new, free high-performance authoritative DNS service designed to enhance users’ privacy on the Internet. This new offering also promised a way to hide DNS traffic completely from view—encryption.

Named for its Internet Protocol address, 1.1.1.1 is the result of a partnership with the research group of APNIC, the Asia-Pacific Internet registry. While it’s also available as an “open” conventional DNS resolver (and a very fast one at that), Cloudflare is supporting two encrypted DNS protocols.

While executed with some unique Cloudflare flare, 1.1.1.1 isn’t the first encrypted DNS service by any means—Quad9, Cisco’s OpenDNS, Google’s 8.8.8.8 service, and a host of smaller providers support various schemes to encrypt DNS requests entirely. But encryption doesn’t necessarily mean that your traffic is invisible; some encrypted DNS services log your requests for various purposes.

Cloudflare has promised not to log individuals’ DNS traffic and has hired an outside firm to audit that promise. APNIC wants to use traffic data to point to the IP address, which has the unfortunate legacy of being a dumping ground for “garbage” Internet traffic, for research purposes, according to APNIC’s Geoff Huston. But APNIC won’t have access to the encrypted DNS traffic in this case, either.

For users, taking advantage of encrypted DNS services from Cloudflare or any other privacy-focused DNS services is not as easy as changing a number in network settings. No operating system currently directly supports any of the encrypted DNS services without the addition of some less-than-consumer-friendly software. And not all of the services are created equal in terms of software support and performance.

But with consumer data as product all over the news as of late, I set out to see just how to get Cloudflare’s encrypted DNS service working. And overcome by my inner lab-rat, I ended up testing and dissecting clients for multiple DNS providers using three of the established protocols for DNS encryption: DNSCrypt, DNS over TLS, and DNS over HTTPS. All of them can work, but let me warn you: while it’s getting easier, choosing the encrypted DNS route is not something you’d necessarily be able to walk Mom or Dad through over the phone today. (Unless, of course, your parents happen to be seasoned Linux command-line users.)

How DNS works.
How DNS works.
Sean Gallagher

Why are we doing this, again?

There are plenty of reasons to want to make DNS traffic more secure. While Web traffic and other communications may be protected by cryptographic protocols such as Transport Layer Security (TLS), almost all DNS traffic is transmitted unencrypted. That means that your ISP (or anyone else between you and the rest of the Internet) can log the sites you visit even when you use another DNS service and use that data for a number of purposes, including filtering access to content and collecting data for advertising purposes.

What a typical DNS conversation between a device and a DNS resolver looks like.
What a typical DNS conversation between a device and a DNS resolver looks like.

“We have a ‘last mile’ problem in DNS,” said Cricket Liu, Chief DNS Architect at the network security company Infoblox. “Most of the security mechanisms we have dealt with server-to-server issues. But we have this problem where we have stub resolvers on various operating systems and don’t really have any way to secure them.” That’s particularly a problem, Liu said, in countries that have a more hostile relationship with the Internet.

Just using a non-logging DNS service helps to some degree. But it doesn’t prevent someone from filtering those requests based on content or capturing the addresses within them with packet capture or deep packet-inspection gear. And in addition to simple, passive eavesdropping attacks, there’s also the threat of more active attacks against your DNS traffic—efforts by an ISP or a government on the wire to “spoof” the identity of a DNS server, routing traffic to their own server to log or block traffic. Something similar (albeit apparently not maliciously) appears to be happening with AT&T’s (accidental) misrouting of traffic to Cloudflare’s 1.1.1.1 address, based on the observations of forum posters on DSLReports.

The most obvious way to dodge monitoring is by using a virtual private network. But while VPNs conceal the contents of your Internet traffic, connecting to a VPN might require a DNS request first. And once you’ve launched a VPN session, DNS requests may occasionally get routed outside of your VPN connection by Web browsers or other software, creating “DNS leaks” that expose which sites you’re visiting.

That’s where encrypted DNS protocols come in—the DNSCrypt protocol (supported by Cisco OpenDNS, among others), DNS resolution over TLS (supported by Cloudflare, Google, Quad9, and OpenDNS), and DNS resolution over HTTPS (currently supported by Cloudflare, Google, and the adult-content-blocking service CleanBrowsing). Encrypted traffic both ensures that traffic can’t be sniffed or modified and that requests can’t be read by someone masquerading as the DNS service—eliminating middle-man attacks and spying. Using a DNS proxy for one of these services (either directly on your device or on a “server” inside your local network) will help prevent VPN DNS leaks, since the proxy will always be the fastest-responding DNS server.

That privacy does not come packaged for mass consumption, however. None of these protocols is currently supported natively by any DNS resolver pre-packaged with an operating system. All of them require the installation (and probably compilation) of a client application that acts as a local DNS “server,” relaying requests made by browsers and other applications upstream to the secure DNS provider of your choice. And while two out of three of the technologies are proposed standards, no option we tested is necessarily in its final form.

So if you choose to dive into encrypted DNS, you will probably want to use a Raspberry Pi or some other dedicated piece of hardware to run it as a DNS server for your home network. That’s because you’ll find that configuring one of these clients is more than enough hackery. Why repeat the process multiple times when you can just query your local network’s dynamic host configuration protocol (DHCP) settings to point everything at one successful installation as a DNS server? I asked myself this question repeatedly as I watched clients crash on Windows and fall asleep on MacOS during testing.

The DNSCrypt community has tried to make this tool available to the non-command line public with tools like DNSCloak (left) on iOS and Simple DNSCrypt (right) for Windows.
The DNSCrypt community has tried to make this tool available to the non-command line public with tools like DNSCloak (left) on iOS and Simple DNSCrypt (right) for Windows.
DNSCloak / Simple DNSCrypt

Get Crypty

For the sake of completeness, let’s start with the original encrypted-DNS option, DNSCrypt. First introduced in 2008 on BSD Unix, DNSCrypt wasn’t originally intended as a privacy tool but as a way to protect against DNS “spoofing.” However, it can be used as part of a privacy solution—particularly when paired with a non-logging DNS provider. And as DNSCrypt developer Frank Denis pointed out, there are many more DNSCrypt-enabled servers out there than any other sort of encrypted DNS.

“DNSCrypt is a bit more than a protocol,” Denis said. “At this point, the community and the projects being worked on define it better than my weekend project protocol.” The DNSCrypt community has built easy-to-use clients such as Simple DNSCrypt for Windows and an Apple iOS client called DNS Cloak, making encrypted DNS more accessible to non-technical people. And others have set up an independent network of privacy-aware DNS servers based on the protocol that helps users evade corporate DNS systems.

“DNSCrypt is not about connecting to a specific company,” Denis said. “We encourage everybody to run their own servers and make it very cheap and easy to do so. Now that we have privacy-aware resolvers, one thing I’m trying to address right now is privacy-aware content filtering.”

For those looking to build a DNSCrypt-enabled DNS server for their whole network, the best client available is DNSCrypt Proxy 2. An earlier version of DNSCrypt Proxy is still available as a package for most of the major Linux distributions, but you’ll want to download the binary of the new version directly from the project’s GitHub site. There are versions for Windows, MacOS, BSD, and Android as well.

The experience that the DNSCrypt community has built up around privacy is evident in DNSCrypt Proxy. The software is highly configurable, with support for time-access restrictions, pattern-based domain and IP address blacklisting, query logging, and other features that make it a fairly powerful local DNS server. But it requires only the most basic of configuration to get started. There’s a sample configuration file, formatted in TOML (Tom’s Obvious Minimal Language, created by GitHub co-founder Tom Preston-Werner), which you can simply rename to be the working configuration file before firing DNSCrypt Proxy up.

By default, the proxy uses Quad9’s open DNS resolver as a bootstrap to find and obtain a curated list of open DNS services from Github, then it connects to the server with the fastest response time; you can change the configuration and select a service by name if desired. Server information in the list is encoded as a “server stamp” that includes the provider’s IP address, public key, whether the server supports DNSSEC, whether the provider keeps logs, and whether the provider blocks some domains. (If you’d rather not depend on a remote file for setup, you can also use a JavaScript-based “stamp calculator” to build your own local static list of servers using this stamp format.)

For my testing with the DNSCrypt protocol, I used Cisco’s OpenDNS as the remote DNS service. DNSCrypt’s performance was a little slower than conventional DNS on first-time requests, but DNSCrypt Proxy caches results after that. The slowest queries were in the 200-millisecond range, while the average responses were more in the 30-millisecond range. (Your mileage may vary, depending on your ISP, the recursion required to find the domain, and other factors.) On the whole, I didn’t notice the speed hit while Web browsing.

The DNSCrypt’s main advantage is that it acts the most like “normal” DNS. For good or ill, it uses UDP traffic—on port 443, the same port used for secure Web connections. That makes for relatively fast address resolutions and makes it less likely to be blocked by a network provider’s firewall. To further decrease the likelihood of being blocked, you can change the configuration of your client to force it to use TCP/IP for queries (with minimal impact on response times, based on my testing), which makes it look like HTTPS traffic to most network filters—at least on the surface.

DNSCrypt traffic revealed, along with DNSCrypt Proxy local traffic. Wireshark says it's HTTPS traffic here, because I forced it to use TCP. Over UDP, Wireshark thinks it's Chrome's QUIC traffic.
Enlarge / DNSCrypt traffic revealed, along with DNSCrypt Proxy local traffic. Wireshark says it’s HTTPS traffic here, because I forced it to use TCP. Over UDP, Wireshark thinks it’s Chrome’s QUIC traffic.

On the downside, DNSCrypt doesn’t rely on trusted certificate authorities for its encryption—the client has to trust the public signing key issued by the provider. That signing key is used to verify certificates that are retrieved via conventional (unencrypted) DNS requests and used for key exchange, using the X25519 key-exchange algorithm. In some (older) implementations of DNSCrypt, there’s a provision for a client-side certificate that can be used as an access-control scheme—allowing them to log your traffic regardless of what IP address you come from and associate it with your account. This isn’t used in DNSCrypt 2.

Working with the DNSCrypt protocol as a developer is a bit of a challenge. “DNSCrypt is not particularly well documented, and there are not a lot of implementations of it,” said Infoblox’s Liu. DNSCrypt Proxy is the only client in active development that we could find, and OpenDNS has stopped supporting development.

DNSCrypt’s interesting cryptography choices (at least from the point of view of developers used to web crypto) may spook some developers. The protocol uses Curve25519  (RFC 8032), X25519 (RFC 8031), and Chacha20Poly1305 (RFC 7539) cryptography. One implementation of the  X24419 algorithm is labeled as “cryptographic hazmat” in the Pyca Python cryptography libraries because it is so easy to misconfigure. But the underlying cryptographic algorithm DNSCrypt uses, Curve25519, is “one of the easiest elliptic curves to use safely,” said Denis.

DNSCrypt was never considered an Internet Engineering Task Force standard, Denis said, because it was built by volunteers and didn’t have corporate sponsorship. Submitting it “would have required dedicated time, as well as defending it at IETF meetings,” he said. “I can’t afford that and neither can other developers who are working on this on their spare time. Virtually all the ratified DNS-related specifications are effectively written by people from a handful of companies, always the same year after year. Unless you work at a DNS company, it’s effectively hard to have a say.”

While there are a number of DNS services that use DNSCrypt (such as CleanBrowsing, which blocks adult content domains, and Cisco OpenDNS, which blocks malicious domains), newer privacy-focused DNS providers (including Google, Cloudflare, and Quad9) have eschewed DNSCrypt and opted for the other, IETF-blessed contenders: DNS over TLS and DNS over HTTPS. DNSCrypt Proxy now supports DNS over HTTPS, and it includes Cloudflare, Google, and Quad9 in its configuration defaults.

TLS was once <a href="https://arstechnica.com/information-technology/2014/02/making-nsa-style-spying-harder-cloudflare-offers-more-robust-web-crypto/">CloudFlare's focus</a> when it came to strengthening encryption for Web traffic against snooping.
Enlarge / TLS was once CloudFlare’s focus when it came to strengthening encryption for Web traffic against snooping.

Hashing it out with TLS

DNS over TLS (Transport Layer Security) has a few advantages over DNSCrypt. For one, it’s a proposed IETF standard. It’s also pretty straightforward in its approach—it takes standard-format DNS requests and encapsulates them in encrypted TCP traffic. Aside from the TLS-based encryption, it’s essentially the same as running DNS over TCP/IP instead of UDP.

There are few functioning clients for DNS over TLS. The best option I found, called Stubby, was developed by the DNS Privacy Project. Stubby is available as part of a Linux package, but there’s also a MacOS version (installable with the Homebrew tool) and a Windows version—though the Windows code is still a work in progress.While I got Stubby working reliably after wrestling with some code-dependency problems on Debian, it failed regularly on Windows 10 and has a tendency to hang on MacOS. If you’re looking for a good how-to on installing Stubby on Linux, the best documentation I found was a Reddit post by Frank Santoso, who also wrote a shell script that can handle the task of installation on a Raspberry Pi.

On the upside, Stubby does allow for configurations that use multiple services based on DNS over TLS. Stubby’s configuration file, written in YAML, allows for multiple IPv4 and IPv6 services to be set up, and it includes settings for SURFNet, Quad9, and other services. The YAML implementation used by Stubby is spacing-sensitive, however, so use caution when adding a new service (such as Cloudflare). I used a tab in my first attempt, and it blew the whole thing up.

DNS-over-TLS clients authenticate the service they connect to using Simple Public Key Infrastructure (SPKI). SPKI uses a locally stored cryptographic hash of the provider’s certificate, usually based on the SHA256 algorithm. In Stubby, that hash is stored as part of the YAML description of the server in the configuration file, as shown below:

upstream_recursive_servers:
#IPv4
#Cloudflare DNS over TLS server

- address_data: 1.1.1.1
  tls_auth_name: "cloudflare-dns.com"
  tls_pubkey_pinset:
  - digest: "sha256"
    value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
- address_data: 1.0.0.1
  tls_auth_name: "cloudflare-dns.com"
  tls_pubkey_pinset:
  - digest: "sha256"
    value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=

After the client establishes a TCP connection to the server over port 853, the server presents its certificate and the client checks it against the hash. If everything is fine, then the client and server do a TLS handshake, passing keys and starting an encrypted session. From there on, the data within the encrypted session follows the same rules as DNS over TCP.

After getting Stubby up and running, I changed my network settings for DNS to make requests to 127.0.0.1 (localhost). The change at the moment of the switchover, captured by the Wireshark packet capture tool, tells the story: my DNS traffic went from being readable to invisible.

Throwing the switch, from conventional DNS traffic to TLS encrypted.
Enlarge / Throwing the switch, from conventional DNS traffic to TLS encrypted.

While DNS over TLS may function just like DNS over TCP, the TLS encryption takes a little bit of a toll on its performance. “Dig” queries to Cloudflare via Stubby took an average of about 50 milliseconds for me (your mileage may vary) as opposed to the sub-20-millisecond responses I got from naked DNS requests to Cloudflare.

Part of the performance problem is on the server-side because of the added weight of using TCP. DNS typically uses UDP because of its connectionless nature—a UDP message is fire-and-forget, while a TCP message requires the negotiation of the connection and verification of receipt. A UDP-based version of DNS over TLS—called DNS over Datagram Transport Layer Security (DTLS)—is in its experimental phase and could increase the protocol’s performance.

There’s also a certificate-management issue here. If a provider retires a certificate and starts using a new one, there’s currently no clean way to update the SPKI data on clients other than cutting and pasting it into the configuration file. Before this approach becomes fully baked, some sort of key-management scheme would be helpful. And since it operates on port 853—a port that isn’t frequently opened up by firewalls—DNS over TLS gets voted “most likely to be blocked.”

That’s not a problem for the last stop on our protocol hit parade, though: DNS over HTTPS passes through most firewalls like they aren’t even there.

Google and Cloudflare seem to be on the same page with the future of encrypted DNS.
Enlarge / Google and Cloudflare seem to be on the same page with the future of encrypted DNS.
Aurich / Thinkstock

DNS over HTTPS: DoH!

Google and Cloudflare both appear to favor DNS over HTTPS, also known as DoH, as the future of encrypted DNS. A draft IETF standard, the DoH protocol encapsulates DNS requests with secure HTTP—turning DNS requests into encrypted Web traffic.

Requests are sent as an HTTP POST or GET with queries in DNS message format (the datagram used in conventional DNS requests) or as an HTTP GET request using JSON (if you like your DNS with extra overhead). And there’s no issue here with certificate management. Just as with normal HTTPS Web traffic, no authentication is required to connect over DoH, and certificate validity can be verified by a certificate authority.

A capture of a DNS transaction over DoH. HTTPS, TLS. That's all there is; there isn't any more.
Enlarge / A capture of a DNS transaction over DoH. HTTPS, TLS. That’s all there is; there isn’t any more.

HTTPS is a pretty chunky protocol to be sending DNS requests with—especially with JSON along for the ride—so there’s a little bit of a performance hit. The server-side resources required would almost certainly make a conventional DNS server admin’s eyes water. But the ease of working with well-understood Web protocols makes developing both client and server code for DoH a lot more approachable to developers who’ve cut their teeth on Web applications. (Engineers at Facebook coded a proof-of-concept DoH server and client in Python in just a few weeks earlier this year.)

As a result, even though the pixels are barely rezzed on the RFC for DoH, there’s already a raft of ready-to-run DNS-over-HTTPS clients, though some of them are built specifically for one DNS provider. The size of the performance hit your DNS resolution will take depends a lot on the server you point at and how well those developers did their job.

Take Cloudflare’s Argo tunneling client (aka “cloudflared“), for example. Argo is a multipurpose tunneling tool intended primarily to provide a secure channel for Web servers to connect to Cloudflare’s content delivery network. DNS over HTTPS is just another service that got bolted on.

By default, if you start Argo from the command line (which, in Linux and MacOS requires superuser privileges and on Windows requires execution from Powershell as an administrator), Argo directs DNS requests to https://cloudflare-dns.com/dns-query. That causes a small problem if there’s no conventional DNS server configured—if it can’t resolve that address to 1.1.1.1, then it will fail to start.

This can be fixed in one of three ways. The first option is to configure your device with the local host (127.0.0.1 for IPv4 and ::1 in IPv6) as the primary DNS server for your network configuration and then add 1.1.1.1 as a secondary resolver. This will work, but it’s not ideal for privacy or performance. A better option is adding the server’s URL at the command line at startup:

$ sudo cloudflared proxy-dns --upstream https://1.0.0.1/dns-query

If you’re convinced you want to make Cloudflare your way to roll—which gives you the benefit of automatic updates—you can set it up as a service in Linux, using a YAML-based configuration file that contains the IPv4 and IPv6 addresses of Cloudflare’s DNS service:

proxy-dns: true
proxy-dns-upstream:
- https://1.1.1.1/dns-query
- https://1.0.0.1/dns-query

When configured with the proper upstream addressing, Argo’s dig-query performance varied widely—from 12 milliseconds (for popular domains) to as much as 131 milliseconds. Pages with a lot of cross-site content took… a little longer than usual to load. Again, your mileage may vary, and it probably will be based on your location and peerage. But this is about what I expected from the lugubrious DoH protocol.

Like <a href="https://blog.cloudflare.com/argo-tunnel/">Cloudflare</a>, we opted for tunnels rather than Affleck to illustrate Argo.
Enlarge / Like Cloudflare, we opted for tunnels rather than Affleck to illustrate Argo.
Wikimedia

To confirm this was, in fact, a DoH issue and not a Cloudflare issue, I tried two other DoH “stubs.” The first was a Go-based proxy for Google’s DNS over HTTPS service called Dingo, a tool written by Pawe? Foremski, an Internet researcher at the Institute of Theoretical and Applied Informatics of the Polish Academy of Sciences. Dingo works exclusively with Google’s DoH implementation, but it can be tuned to use the nearest instantiation of Google’s DNS service. That’s a good thing—before tuning, the Dingo ate my DNS performance. Queries with dig averaged well over 100 milliseconds.

By checking how dns.google.com resolved from a standard DNS request, I got an alternate address to Google’s default 8.8.8.8 IP address (172.217.8.14, if you must know). I appended that IP address to Dingo on the command line:

$ sudo ./dingo-linux-amd64 -port=53 -gdns:server=172.216.8.14

This cut response times down by about 20 percent—in the same ballpark, average-wise, as Cloudflare’s Argo.

The best DoH performance, however, came from an unexpected source: DNSCrypt Proxy 2. With the recent addition of Cloudflare’s DoH service to the stub’s curated list of public DNS services, DNSCrypt Proxy will almost always connect to Cloudflare by default because of the server’s low latency. To make sure, I even manually configured it for Cloudflare’s resolver over DoH before throwing my battery of dig queries at it.

All of the queries were resolved in less than 45 milliseconds—faster than Cloudflare’s own service by a wide margin. Using Google’s DoH service, performance slowed a bit—queries averaged around 80 milliseconds. That speed came without tuning it to a more local Google DNS server.

On the whole, DNSCrypt Proxy’s DoH performance was virtually indistinguishable from that of the DNS-over-TLS resolver I tested. In fact, it was faster. I’m not sure if this was because of how DNSCrypt Proxy implemented DoH—using the standard DNS message format encapsulated in HTTPS instead of the JSON format—or if it was related to how Cloudflare handled the two different protocols.

We are not Batman. But my threat model is still a bit more complicated than most.
Enlarge / We are not Batman. But my threat model is still a bit more complicated than most.

Was this trip really necessary?

I am a professional paranoiac. My threat model is different from yours, and I would prefer to keep as much of my online activity as secure as possible. But given the number of current privacy and security threats that leverage manipulation of DNS traffic, there’s a strong case for many people to use some form of DNS encryption. As I pleasantly discovered, there are implementations of all three of the protocols I looked at that don’t have a profound negative impact on network traffic speeds.However, it’s also important to note that these services alone do not ensure your browsing is concealed. The Server Name Indicator (SNI) extension of TLS, used in HTTPS connections, can still reveal in plain text the name of the site you’re visiting if the server it is on hosts multiple sites. For total privacy, you’ll still need to use a VPN (or Tor) to encapsulate your traffic in a way that your ISP or some other party monitoring your traffic can’t scrape metadata from (and none of these services work with Tor). And if you’re dealing with a state-funded adversary, all bets are off.

The other problem is that while the fine folks in the DNSCrypt community have done great work, this kind of privacy is still too hard for average people. While I found it relatively easy to configure some of these encrypted DNS clients, none of them is exactly easy for normal Internet users to implement. For these services to become really useful, they have to be better integrated into the stuff people buy—home routers and desktop and mobile operating systems.Conventional DNS traffic is going to be increasingly monetized by Internet providers, and it will remain a tool of both states and criminals to steer Internet users into harm’s way. But it’s unlikely that major operating-system developers are going to embrace armoring up DNS in a way that’s accessible to most users, because they’re often in the same monetization game as ISPs. On top of that, those developers could face resistance to making changes from some governments that want to preserve DNS-monitoring capabilities.

So for now, these protocols are going to remain the tool of the few who care enough about privacy to go the extra mile. Here’s hoping that the privacy community around DNSCrypt continues to care enough to push things forward.

Are vegan milks healthier than dairy? The truth about almond, soy – TODAY.com

Source: Are vegan milks healthier than dairy? The truth about almond, soy – TODAY.com

The truth about almond, soy, rice and flax: Decoding dairy and vegan milks

Whether you’re vegan, vegetarian or just thinking about creamy beverages, it’s impossible to avoid the many new milks (or “mylks”) popping up in or near the dairy aisle these days.

Buying soy and rice milks once meant venturing to a hole-in-the-wall health food store, but now, milk shelves in large supermarkets are more crowded than ever, so it can be pretty hard to know which milk is really right for you.

Getty Images

Home-made hemp milk with whole seeds and shelled seeds

Bonnie Taub-Dix, RDN, creator of BetterThanDieting.com and author of “Read It Before You Eat It: Taking You From Label to Table“, shed some light on the latest information about the many milks on the market. Milk substitutes can be a great option if you’re avoiding animal products, counting calories, love trying different flavors, or need to abstain from dairy due to food allergies. Taub-Dix said all varieties hydrate well but each has different pros and cons.

Madelyn Fernstrom, NBC News Health and Nutrition Editor, added, “When it comes to choosing milk products, decide what nutrients are most important to you to include — or remove. There is no single perfect product, and ‘one size does not fit all’.”

Here’s what to look for when choosing the right option to buy or — if you’re feeling adventurous — to make at home yourself.

Cow’s milk

Cow’s milk has muscle-strengthening protein and bone-building calcium, as well as phosphorous and vitamin D. The downside to real dairy is that it contains a sugar called lactose that can be difficult for some to digest. But at every fat percentage, a serving of cow’s milk contains 30 percent of your recommended daily calcium needs.

Nutrition info for 1 cup of milk (8 ounces):

Skim

80 calories; 8 grams of protein; no fat

1 percent

100 calories; 8 grams of protein; 2 grams of fat

2 percent

120 calories; 8 grams of protein; 5 grams of fat

Whole milk

150 calories, 8 grams of protein; 8 grams of fat

Food myths debunked: Whole milk may be healthier than skim

Play Video – 9:19

Food myths debunked: Whole milk may be healthier than skim

Play Video – 9:19

Almond milk

Almond milk is naturally free of cholesterol, saturated fat and lactose. It’s rich in calcium, vitamins D, E and A, and has far fewer calories than other milks. Almond milk has a smooth, nutty flavor, which Taub-Dix says will “shine in recipes,” including muffins, soups, smoothies and stews. Almond Breeze is available cold and in shelf-stable varieties, so it’s great to store in bulk. Like any beverage made from tree nuts, almond milk is not suitable for those with nut allergies.

Nutrition info for 1 cup (unsweetened, plain): 30 to 50 calories; up to 1 gram of protein; 2 to 2.5 grams fat. Many commercially available varieties of almond milk contain 30 to 45 percent of the recommended daily value of calcium per serving.

Almond Milk Hot Chocolate

Almond Milk Hot Chocolate

Chef Dan Churchill, Under Armour Chef for Lindsey Vonn

(51 rated)
Cook time:

Servings:

2

Get the recipe

Soy milk

Soy milk has been around for a long time but has been made more popular in the last decade due to big brands like Silk. Taub-Dix says it’s best to choose a soy milk that’s fortified with calcium and vitamin D, but be sure to shake it well before drinking since these nutrients can settle to the bottom of the container. Soy is a solid substitute for those with nut or dairy allergies, but many people suffer from soy allergies, too.

Some studies have shown that increased soy consumption can increase tumor growth at the cellular level, while others say it may have a protective effect on breast cancer. Overall, it’s a healthy option, Taub-Dix told TODAY, but recommends that consumers look for “whole soy in products like tofu and edamame [which is] preferable to processed soy often found as soy protein isolates that are found in many snack products.” In other words, eating soy beans in their raw form (or drinking fresh soy milk) is preferable to consuming a refined soy product that has been stripped of its natural (and nutritionally beneficial) fat and fiber, which can be found in protein powders and junk food.

Nutrition info for 1 cup (low-fat, plain): 60 to 90 calories; 4 to 6 grams protein; 1.5 to 2 grams fat and 20 to 45 percent of the recommended daily value for calcium.

People are going crazy for these over-the-top milkshakes

Play Video – 1:07

People are going crazy for these over-the-top milkshakes

Play Video – 1:07

Rice milk

Made by combining partially milled rice and water, rice milk has a sweet flavor and comes in a variety of flavors. The downside? Most varieties barely contain any protein.

Nutrition info for 1 cup: 90 to 130 calories; 1 gram protein; 2 to 2.5 grams fat and 30 percent of the recommended daily value for calcium.

Coconut milk (canned)

If you’re someone who enjoys a fuller fat, super creamy milk experience, this alternative may be right for you. Taub-Dix reminds shoppers not to confuse coconut milk with its lower-calorie relative, coconut water. Sweetened versions can pack almost 450 calories per cup, and it packs in a lot of saturated fat. Lighter versions are available with 60 percent fewer calories and fat than regular coconut milk. This milk is not to be consumed like dairy milk but should be considered more like a substitute for heavy creams.

Nutrition info for 1 cup: 445 calories, 4 grams of protein; 48 grams of fat and 4 percent of the recommended daily value for calcium.

Kale, Spinach and Coconut Soup

Cynthia Chea Pean

(12 rated)
Servings:

6

Get the recipe

Hemp milk

Derived from hemp seeds rich in plant-based omega-3 fatty acid called alpha-linolenic acid (ALA), this milk is beneficial for reducing risk of heart disease and inflammation, says Taub-Dix. Hemp milk is higher in fat content than other milk alternatives but it makes up for it with a hefty dose of calcium.

Nutrient info for 1 cup: 140 calories; 3 grams of protein; 5 grams of fat; 50 percent of the recommended daily value of calcium.

Peanut milk

Peanut milk is one of the newer varieties of nut milks (such as Elmhurst’s milked peanuts) and has a strong flavor of — you guessed it — peanuts. This milk can be a very tasty choice for those seeking an extra nutty kick in their cereals or certain dishes, but it should definitely be avoided by anyone with a nut allergy. It’s also on the higher end when it comes to fat grams per serving.

Nutrition info for 1 cup: 150 calories; 6 grams of protein; 11 grams of fat and 2 percent of the recommended daily value of calcium.

Flax milk

Flax seeds are tiny but pack a lot of nutritional punch. They are a great source of plant-based protein, have plenty of calcium, protein and omega-3 healthy fats, which our bodies do not create naturally. An unsweetened box of a brand like Good Karma can be stored in the pantry for months before it’s opened and has a very creamy taste.

Nutrition info for 1 cup: 70 calories; 8 grams of protein; 3.5 grams of fat and 30 percent of the daily value of calcium.

Oat milk

This milk is naturally sweet and can be used in recipes ranging from gravy to cupcakes, but it’s also fine by itself in coffee, cereal and more. For those who like a sweeter taste, this is a nice option, even without added sugars or flavorings such as vanilla. It’s also incredibly low in fat.

Nutrition info for 1 cup: 130 calories; 4 grams of protein; 2.5 grams of fat; 35 percent of the recommended daily value of calcium.

(78 rated)
Cook time:

Prep time:

Servings:

8

Get the recipe

Cashew milk

This nut milk is one of the more similar plant-based alternatives to cow’s milk, as it has a creamy texture and mild taste. It makes great smoothies and is a delicious accompaniment to cereal. But most commercially available varieties don’t have much calcium.

Nutrition info for 1 cup (unsweetened): 70 calories; 2 grams of protein; 4 grams of fat; 4 percent of recommended daily value of calcium.

Pea milk

Ripple

This milk isn’t made from nuts and it doesn’t come from an animal.

Many milk alternatives containing nuts present issues for individuals with both a dairy intolerance and a nut allergy. Enter pea milk. Ripple, one of the biggest players in the relatively new pea-milk game, says its product is gentle on the body and the planet. This milk is vegan and it’s totally free of dairy, nuts, lactose and gluten. It’s surprisingly creamy but the truth is, in its unflavored form, there is a very real, faint pea-like taste that may be difficult for traditional milk lovers to swallow.

Nutrition info for one cup: 100 calories; 8 grams of protein; 4.5 grams of fat and 45 percent of the recommended daily value of calcium.

Interested in trying more vegan foods? Here are TODAY Food’s favorite dairy-free recipes.

TODAY has affiliate relationships, so we may get a small share of the revenue from your purchases. Items are sold by the retailer, not by TODAY.

Step-By-Step Guide to Migrating Your WordPress Website To A New Host

Moving your WordPress website to a new host can be a stressful experience, but it doesn’t need to be. Use this easy guide to help you through the process.

Source: Step-By-Step Guide to Migrating Your WordPress Website To A New Host

Moving your website to a new host can be a daunting and stressful experience, but it doesn’t need to be.

Many people are faced with the need to move to a new host because of problems with their current provider and have just had enough. But all too often, migrating to a more reliable host is delayed time and again for fear of making a mistake and damaging your site(s).

To get around the problem, people will either pay a professional to move their site for them, find a new host that offers the service as part of a new hosting package, or take the third option of having a go at it themselves.

If you spend a little time preparing your own website, migrating is nothing to be concerned about. It can be a very straightforward project if approached correctly and can easily be reversed out of should any problems occur.

Let’s run through the steps required to move your WordPress website to a new host.

Step 1: Back Up Your Website’s Files

FTP-Transfer

The very first step of any project such as this is to back up every aspect of your site. This step is good practice before any major change but it is also a requirement of migrating your WordPress installation.

There are many plugins out there that will completely backup your site for you. This backup however, requires a more manual approach. Using an FTP program (such as FileZilla), connect to your web host and copy all files under your website’s directory to a folder on your local computer.

This includes the .htaccess file that is set to be hidden. Consult your FTP program’s help file to have it display hidden files if you are unable to see this file.

Depending on the number of media uploads you have in your site, this could take some time. While this download is underway we can begin step two and make a copy of your database.

Step 2: Export The WordPress Database

Database Export

Exporting your database is a simple process that only requires a few steps to complete. Login to the cPanel account of your web server and open the phpMyAdmin application. Select the database that contains your WordPress installation from the list on the left hand sidebar and once selected click on the Export tab on the navigation menu.

The default settings of a Quick export and the SQL format for the export are sufficient for what we need. Click the Go button and the database export process will begin and a file will be downloaded to your local computer.

Once the database export and the FTP transfer of your files have both completed, you are ready to move onto the next stage.

Step 3: Create The WordPress Database On Your New Host Server

Before we can begin the migration to the new web host, we need to create an environment for a WordPress installation. To do this you must create a database that you can import your SQL data into.

Login to your new web host with the user credentials they have supplied you and connect to the cPanel software. For our guide we will be using the MySQL Databases application. If your web host doesn’t have that application running then you will should contact their support team to discover their method of creating new databases.

The steps to create a database are quite simple:

  • Open MySQL Database and create a new database with an appropriate name for your website.
  • Create a new MySQL user (with a secure password).
  • Add this user account to the new database and grant it All Privileges.

Write down the database name, the new MySQL username and its password. You will need them soon.

Step 4: Edit the wp-config.php File

Browse to the folder on your local computer where you downloaded your website files to. In that folder there is a file called wp-config.php that controls the access between WordPress and your database.

Make a copy of this file and store it in another folder on your local computer. This is necessary for restoring the changes we are about to make should something go wrong later.

Open the original version of the file with your favorite text editor and make the following three changes:

1. Change The Database Name

Locate the following line:

define('DB_NAME', 'db_name');

The db_name portion of this line will currently be set to the MySQL database name of your old web host. This must be changed to the name of the new database you have just created.

2. Change the Database Username

Below this you will find the line:

define('DB_USER', 'db_user');

In this line you need to change the db_user portion from the username of your old host to match the new username you have just created.

3. Change The Database User Password

Finally, edit the third line:

define('DB_PASSWORD', 'db_pass');

As with the others the db_pass section of this line must be changed to the new secure password you created for your MySQL user.

Save wp-config.php and close the file.

Step 5: Import Your Database

Database Import

Now that you have a new database to work with we can begin the import process.

Launch phpMyAdmin from the cPanel software on your new server and select your new database from the list on the left hands sidebar. Once it opens select the Import tab from the navigation menu.

In the File to Import section click the Choose File button and select the SQL file you exported previously.

Un-tick the Partial Import check box, make sure the format is set to SQL and then click the Go button. The database import will now begin.

The time this import takes varies depending on the size of your database. You should receive a message informing you of the success of the import when it has finished.

Step 6: Upload The WordPress Files To Your New Host

Now that you have the new database prepared and you’ve reconfigured the wp-config.php file, it is time to begin uploading your website’s files.

Connect to your new web host using your FTP program and browse to the folder that your website is going to be held. If this is the primary, or only site being installed on this web server then uploading the files to the public_html folder is the usual directory.

With the remote directory selected you can upload your website files that should now include the updated version of wp-config.php. As with the earlier download, this process can take some time.

Don’t delete these files from your local computer once the upload finishes. They are still needed until the final steps have been completed.

Step 7: Linking to New URL & Defining New Domain

If you are moving to a new/different domain then you should read over this step, if not, then you can skip this because you don’t have to update your site to point to a different domain.

One issue people always seem to have when moving their site is that they’ve added links to other posts on their site or inserted images directly by pointing to a URL on the server, causing these to break when moved over to a new domain. If you want to quickly and easily search for any instances of your old domain name and replace with the new name we suggest you take a look at the Search Replace DB script on github. This will allow you to do this with great ease. Just make sure you DELETE it when your are done (for security reasons) and don’t place it in your root domain, create a temp folder with a random name to host the script.

Changing Site URL: By doing a search and replace for the old domain and replacing with the new domain you’ll also be altering the site_url and home url values in the database (Changing the Site URL) which will ensure that when you try to log into your site on the new domain it doesn’t try and redirect you over to the old domain.

Step 8: The Final Touches

This step actually includes two separate things with (potentially) several days between them.

Before you can use the site on your new host you will need to reconfigure your domain’s DNS settings. They will be set to point to your old host and you will need to point the correct records to the new server IP address.

This process will depend on where you have your domain registered. The details of completing this process are too varied to discuss in this post, but your domain registrar should have all of the details you need to make this change.

DNS changes can take up to 48 hours to fully propagate. It’s best to do this at a period when you expect lower levels of traffic. During this 48 hour window you should avoid making any changes to your website as you may be changing the old version of the site.

After the 48-hour period has expired you should now be accessing the new web host when you go to your website. It’s at this point you can connect to your old web host to delete the files and database. You should still have a local backup copy of these files and the database export, along with the original wp-config.php file in case you need to roll back the migration. It can be a good idea to hold onto these files for a an extended period just to be on the safe side.

Conclusion

As you can see, when broken down into the above simple steps, the process isn’t that difficult. All it really requires is for you to be careful at each step and give yourself the option to go back to the original version until the last possible moment (in case of any problems).