A DNS cache (sometimes called a DNS resolver cache) is a temporary database, maintained by a computer’s operating system, that contains records of all the recent visits and attempted visits to websites and other internet domains.
In other words, a DNS cache is just a memory of recent DNS lookups that your computer can quickly refer to when it’s trying to figure out how to load a website.
The information in this article applies to home users who haven’t changed their DNS settings.
The Purpose of a DNS Cache
The internet relies on the Domain Name System to maintain an index of all public websites and their corresponding IP addresses. You can think of it as a phone book.
With a phone book, we don’t have to memorize everyone’s phone number, which is the only way phones can communicate: with a number. In the same way, DNS is used so we can avoid having to memorize every website’s IP address, which is the only way network equipment can communicate with websites.
You type in a URL like lifewire.com and your web browser asks your router for the IP address. The router has a DNS server address stored, so it asks the DNS server for the IP address of that hostname. The DNS server finds the IP address that belongs to lifewire.com and then is able to understand what website you’re asking for, after which your browser can then load the appropriate page.
This happens for every website you want to visit. Every time you visit a website by its hostname, the web browser initiates a request out to the internet, but this request cannot be completed until the site’s name is “converted” into an IP address.
The problem is that even though there are tons of public DNS servers your network can use to try to speed up the conversion/resolution process, it’s still quicker to have a local copy of the “phone book,” which is where DNS caches come into play.
The DNS cache attempts to speed up the process even more by handling the name resolution of recently visited addresses before the request is sent out to the internet
There are actually DNS caches at every hierarchy of the “lookup” process that ultimately gets your computer to load the website. The computer reaches your router, which contacts your ISP, which might hit another ISP before ending up at what’s called the “root DNS servers.” Each of those points in the process has a DNS cache for the same reason, which is to speed up the name resolution process.
How a DNS Cache Works
Before a browser issues its requests to the outside network, the computer intercepts each one and looks up the domain name in the DNS cache database. The database contains a list of all recently accessed domain names and the addresses that DNS calculated for them the first time a request was made.
The contents of a local DNS cache can be viewed on Windows using the command ipconfig /displaydns, with results similar to this:
docs.google.com ------------------------------------- Record Name . . . . . : docs.google.com Record Type . . . . . : 1 Time To Live . . . . : 21 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 172.217.6.174
In DNS, the “A” record is the portion of the DNS entry that contains the IP address for the given host name. The DNS cache stores this address, the requested website name, and several other parameters from the host DNS entry.
What Is DNS Cache Poisoning?
A DNS cache becomes poisoned or polluted when unauthorized domain names or IP addresses are inserted into it.
Occasionally a cache may become corrupted because of technical glitches or administrative accidents, but DNS cache poisoning is typically associated with computer viruses or other network attacks that insert invalid DNS entries into the cache.
Poisoning causes client requests to be redirected to the wrong destinations, usually malicious websites or pages full of advertisements.
For example, if the docs.google.com record from above had a different “A” record, then when you entered docs.google.com in your web browser, you’d be taken somewhere else.
This poses a massive problem for popular websites. If an attacker redirects your request for Gmail.com, for example, to a website that looks like Gmail but isn’t, you might end up suffering from a phishing attack like whaling.
DNS Flushing: What It Does and How to Do It
When troubleshooting cache poisoning or other internet connectivity problems, a computer administrator may wish to flush (i.e. clear, reset, or erase) a DNS cache.
Since clearing the DNS cache removes all the entries, it deletes any invalid records too and forces your computer to repopulate those addresses the next time you try accessing those websites. These new addresses are taken from the DNS server your network is set up to use.
So, to use the example above, if the Gmail.com record was poisoned and redirecting you to a strange website, flushing the DNS is a good first step to getting the regular Gmail.com back again.
In Microsoft Windows, you can flush the local DNS cache using the ipconfig /flushdns command in a Command Prompt. You know it works when you see the Windows IP configuration successfully flushed the DNS Resolver Cacheor Successfully flushed the DNS Resolver Cachemessage.How to Flush and Clear Windows DNS Cache
Through a command terminal, macOS users should use dscacheutil -flushcache but know that there is not a “successful” message after it runs, so you’re not told if it worked. In some cases, Mac users will also have to kill the DNS responder (sudo killall -HUP mDNSResponder.) Linux users should enter the /etc/rc.d/init.d/nscd restart command. The exact command will vary based on your Linux distribution, though.
A router can have a DNS cache as well, which is why rebooting a router is often a troubleshooting step. For the same reason you might flush the DNS cache on your computer, you can reboot your router to clear the DNS entries stored in its temporary memory.
A list of additional free DNS servers can be found in the table near the bottom of the page.
What Are DNS Servers?
DNS servers translate the friendly domain name you enter into a browser (like lifewire.com) into the public IP address that’s needed for your device to actually communicate with that site.
Your ISP automatically assigns DNS servers when your smartphone or router connects to the internet but you don’t have to use those. There are lots of reasons you might want to try alternative ones (we get into many of them in Why Use Different DNS Servers? a bit further down the page) but privacy and speed are two big wins you could see from switching.
Primary DNS servers are sometimes called preferred DNS servers and secondary DNS servers sometimes alternate DNS servers. Primary and secondary DNS servers can be “mixed and matched” from different providers to protect you if the primary provider has problems.
Best Free & Public DNS Servers (Valid March 2021)
Below are more details on the best free DNS servers you can use instead of the ones assigned.
If you’re not sure, use the IPv4 DNS servers listed for a provider. These are the IP addresses that include periods. IPv6 IP addresses use colons.
GOOGLE: 8.8.8.8 & 8.8.4.4
Google Public DNS promises three core benefits: a faster browsing experience, improved security, and accurate results without redirects.
Primary DNS: 8.8.8.8
Secondary DNS: 8.8.4.4
Google also offers IPv6 versions:
Primary DNS: 2001:4860:4860::8888
Secondary DNS: 2001:4860:4860::8844
Google can achieve fast speeds with its public DNS servers because they’re hosted in data centers all around the world, meaning that when you attempt to access a web page using the IP addresses above, you’re directed to a server that’s nearest to you.
QUAD9: 9.9.9.9 & 149.112.112.112
Quad9 has free public DNS servers that protect your computer and other devices from cyber threats by immediately and automatically blocking access to unsafe websites, without storing your personal data.
Primary DNS: 9.9.9.9
Secondary DNS: 149.112.112.112
There are also Quad 9 IPv6 DNS servers:
Primary DNS: 2620:fe::fe
Secondary DNS: 2620:fe::9
Quad9 does not filter content—only domains that are phishing or contain malware will be blocked. Quad9 also has an unsecured IPv4 public DNS at 9.9.9.10 (2620:fe::10 for IPv6).
OPENDNS: 208.67.222.222 & 208.67.220.220
OpenDNS claims 100% reliability and up-time and is used by 90 million users around the world. The offer two sets of free public DNS servers, one of which is just for parental controls with dozens of filtering options.
Primary DNS: 208.67.222.222
Secondary DNS: 208.67.220.220
IPv6 addresses are also available:
Primary DNS: 2620:119:35::35
Secondary DNS: 2620:119:53::53
The servers above are for OpenDNS Home, which you can make a user account for to set up custom settings. The company also offers DNS servers that block adult content, called OpenDNS FamilyShield: 208.67.222.123 and 208.67.220.123 (shown here). A premium DNS offering is available, too, called OpenDNS VIP.
CLOUDFLARE: 1.1.1.1 & 1.0.0.1
Cloudflare built 1.1.1.1 to be the “fastest DNS service in the world” and will never log your IP address, never sell your data, and never use your data to target ads.
Primary DNS: 1.1.1.1
Secondary DNS: 1.0.0.1
They also have IPv6 public DNS servers:
Primary DNS: 2606:4700:4700::1111
Secondary DNS: 2606:4700:4700::1001
There’s a 1.1.1.1 app for Android here and iOS here, for quick setup on mobile devices.
CLEANBROWSING: 185.228.168.9 & 185.228.169.9
CleanBrowsing has three free public DNS server options: a security filter, adult filter, and family filter. These are the DNS servers for the security filter, the most basic of the three that updates hourly to block malware and phishing sites:
Primary DNS: 185.228.168.9
Secondary DNS: 185.228.169.9
IPv6 is also supported:
Primary DNS: 2a0d:2a00:1::2
Secondary DNS: 2a0d:2a00:2::2
The CleanBrowsing adult filter (185.228.168.10) prevents access to adult domains, and the family filter (185.228.168.168) blocks proxies, VPNs, and mixed adult content. More features can be had at a price: CleanBrowsing Plans.
ALTERNATE DNS: 76.76.19.19 & 76.223.122.150
Alternate DNS is a free public DNS service that blocks ads before they reach your network.
You can sign up for free from their signup page. There’s also a Family Premium DNS option for $2.99 /month that blocks adult content.
ADGUARD DNS: 94.140.14.14 & 94.140.15.15
AdGuard DNS has two sets of DNS servers, both of which block ads in games, videos, apps, and web pages. The basic set of DNS servers are called the “Default” servers, and block not only ads but also malware and phishing websites:
Primary DNS: 94.140.14.14
Secondary DNS: 94.140.15.15
IPv6 is supported, too:
Primary DNS: 2a10:50c0::ad1:ff
Secondary DNS: 2a10:50c0::ad2:ff
There are also “Family protection” servers (94.140.14.15 and 2a10:50c0::bad1:ff) that block adult content plus everything included in the “Default” servers. Non-filtering servers are available if you’re not interested in blocking anything: 94.140.14.140 and 2a10:50c0::1:ff.
Why Use Different DNS Servers?
One reason you might want to change the DNS servers assigned by your ISP is if you suspect there’s a problem with the ones you’re using now. An easy way to test for a DNS server issue is by typing a website’s IP address into the browser. If you can reach the website with the IP address, but not the name, then the DNS server is likely having issues.
Another reason to change DNS servers is if you’re looking for better performing service. Many people complain that their ISP-maintained DNS servers are sluggish and contribute to a slower overall browsing experience.
Yet another common reason to use DNS servers from a third party is to prevent logging of your web activity and to circumvent the blocking of certain websites.
Know, however, that not all DNS servers avoid traffic logging. If that’s what you’re interested in, make sure you read through the FAQs on the DNS provider’s site to make sure it’s going to do (or not do) what you’re after.
If, on the other hand, you want to use the DNS servers that your specific ISP, like Verizon, AT&T, Comcast/XFINITY, etc., has determined is best, then don’t manually set DNS server addresses at all—just let them auto assign.
Finally, in case there was any confusion, free DNS servers do not give you free internet access. You still need an ISP to connect to for access—DNS servers just translate between IP addresses and domain names so that you can access websites with a human-readable name instead of a difficult-to-remember IP address.
Additional DNS Servers
Here are several more public DNS servers. Let us know if we’re missing any major providers.
OpenNIC has several DNS servers. Visit its website and select one that’s geographically nearby for the optimal performance.
Security Groups, User Accounts, and Other AD Basics
At many enterprises and SMBs that use Windows devices, IT teams are likely to use Active Directory (AD). Essentially, Active Directory is an integral part of the operating system’s architecture, allowing IT more control over access and security. AD is a centralized, standard system that allows system administrators to automatically manage their domains, account users, and devices (computers, printers, etc.) within a network.
AD is crucial for a number of functions—it’s can be responsible for storing centralized data, managing communication between domains, and implementing secure certificates. But perhaps most importantly, it gives system administrators control over passwords and access levels within their network to manage various groups within the system. At the same time, Active Directory can also help support the ability for users to more easily access resources across the network.
Since Active Directory is a central IT tool for managing access control and security, here’s what you need to know:
The structure is important to understand for effective Active Directory administration, as good storage and organization practices are key to building a secure hierarchy. The following are some basic structural aspects of Active Directory management:
Domains: An AD domain is a collection of objects, like users or hardware devices, that share policies, and a database. Domains contain identifying information about those objects and have a single DNS name. A group policy may be applied to a whole domain or sub-groups called organizational units (OU).
Trees: Multiple AD domains within a single group are known as trees. They share a network configuration, schema, and global catalog. There’s a rule of trust with trees— when a new domain joins a tree, it’s immediately trusted by the other domains in the group.
Forests: A forest is a group of trees that share a single database. This is the top of the organizational hierarchy within an AD. A single forest should be used for each department. It’s important to note that user admins within one forest cannot automatically access another forest.
The Difference Between Security Group vs. Distribution Group
AD is comprised of two main groups—distribution groups and security groups. Distribution groups are built primarily to distribute emails. These are useful for applications like Microsoft Exchange or Outlook, and it’s generally straightforward to add and remove contacts from one of these lists. You can’t use a distribution group to filter group policy settings. When possible, users should be assigned to distribution groups rather than security groups, since membership in too many security groups could lead to slow logon functionality.
On the other hand, security groups allow IT to manage access to shared resources by controlling user and computer access. Security groups can be used to assign security rights within the AD network. (These groups can also be used for email distribution.) Each security group is assigned a set of user rights, dictating their abilities within the forest. For example, some groups may be able to restore files, while others are not.
These groups give IT control over group policy settings, meaning permissions can be changed across multiple computers. Permissions differ from rights—they apply to shared resources within a domain. The simplest way to understand permissions is to think of Google Docs. The owner of such a document can decide who has permission to edit their work, who can comment on it, and which parties can merely view the document. Security group permissions are similar. Certain groups may have more access than others when it comes to shared resources.
What Are AD Group Scopes?
“Group scope” is the term used to categorize the permission levels of each security group. Microsoft has outlined three main scopes within AD:
Universal: Members from any domain can be added to a universal security group. These groups are often used to define roles and manage permissions within the same forest or trusting forests.
Global: Global groups pertain mostly to the categorization of users based on business roles. Users often share similar network access requirements. This group has the ability to assign permissions for access to resources in any domain.
Domain Local: This grouping can be applied everywhere in the domain and is often used to assign permissions for access to resources. One thing to note—you can assign these permissions only in the domain where the domain local group was created.
By adding a user account to a group, you’re eliminating the administrative legwork that comes with handling individual user access. Groups can also become members of other groups. This is called group nesting. Nesting is a helpful way to manage your AD based on business roles, functions, and management rules.
Active Directory Nested Groups Best Practices
Before implementing nesting strategies, be sure to follow Active Directory nested groups best practices. These will ensure you’re keeping your data safe while simultaneously improving efficiencies, rather than adding more layers of confusion.
Stay in the Loop: Being aware of permission inheritance is probably the single most important thing to keep in mind when it comes to group nesting. You can nest groups based on a parent-child hierarchy, so if you make users of Group A members of Group B, the users within Group A would have the same permissions as Group B. This can lead to problems if the users in Group B have access to sensitive information the users in Group A shouldn’t be able to access.
Know Your Names: Naming conventions should be front and center when you’re creating groups. They should be obvious to a fault, citing the name of the department (sales, marketing, HR, etc.) and the level of permission that they have. You’ll be thankful you have this practice in place when it comes time to build your nested groups.
Keep It Local: Remember, domain local groups are used to manage permissions to resources. When nesting groups, add user accounts to a global group, then add that global group to a domain local group. The global group will have the same level of access to the resource that the domain local group has.
Let Go:IT professionals don’t need to be the ones in charge of group management. The managers and directors across various departments who own the content within a certain group can be empowered to manage who has access to the group.
Active Directory Security Groups Best Practices
In addition to group nesting management tips, there are also many things to keep in mind when it comes to managing your security groups:
Understand Who and What: It’s important to regularly take stock of which employees have access and permission to which resources. Most employees don’t need a high level of domain access. This is what’s called the “rule of privilege.” The rule emphasizes the importance of granting all user accounts with the absolute minimum level of permission necessary to complete their assigned tasks. This isn’t about not trusting your employees, it’s about limiting the spread of potential risk factors. Logging on with a privileged account means a user could accidentally spread a hidden virus to the entire domain, since the virus would have administrative access. However, if that same user uses a non-privileged account, the damage would only be local. Practice the principle of privilege and you can help prevent potential damage.
Delete the Default: AD assigns default permissions and rights to basic security groups, such as Account Operators. But these default settings don’t have to stick. It’s important to take a look and make sure they’re appropriate for your company. If not, go ahead and customize them. This will help you avoid hackers who are familiar with default settings.
Practice Patching: The bad news? There are many well-known vulnerabilities (holes and weaknesses) within your computer software. The good news? Patches can fix them. A patch is a set of changes designed to fix security vulnerabilities and improve usability and performance. Take the time to research which patches are right for the applications within your network. This will help you avoid security risks due to attackers ready to pounce on these vulnerabilities through malicious code.
Active Directory Best Practices for User Accounts
With thousands of user accounts to manage, it’s easy to get overwhelmed. The best way to avoid headaches is to be proactive. If you can take steps to ensure a healthy Active Directory, your chances of a security breach drop significantly. Here are a few AD user management best practices to keep in mind:
Perform Housekeeping Duties: Regularly deleting unnecessary user accounts from your Domain Admins group is critical. Why? Members of this group are granted access to a plethora of devices and servers. This makes them a prime target for attackers, who have become experts at breaking into user credentials. Keep the number of users within your Domain Admins group to a bare minimum to safeguard against this possibility.
Keep Track of Terminations: When employees leave, so must their user accounts. Abandoned accounts leave room for former employees to gain access to information that is not rightfully theirs. They’re also a target for hackers, who prey on inactive accounts as an easy way to enter a domain under cover. Do your due diligence and regularly sweep out abandoned accounts. You won’t regret it.
Actively Monitor: It’s important to have an overview of your forests. This ensures you stay ahead of potential problems, like service outages, and quickly identify those that do pop up, such as syncing issues and user account lockouts. Practice monitoring for a spike in bad user account password attempts. This is often a red flag that you have attackers on your hands.
Implement Passwords Policies: It would be great if AD were configured to require users to update passwords on a periodic basis. Unfortunately, that’s not the case. But while it may involve some manual heavy lifting, it’s important to set up processes that require regular password updates. This preventative measure is well worth the time. A few tips:
Long passwords are king. Think 12 characters at least.
Implement paraphrases, that is, two or more unrelated words strung together.
Allow just three login attempts before the user is locked out.
Active Directory Tips and Best Practices Checklist
We’ve dug into Active Directory security groups best practices, Active Directory user account best practices, and Active Directory nested groups best practices, but there are also a number of tips and tricks for managing Active Directory as a whole.
Have a Plan B: You’re doing your best to ensure all security measures are taken, but what happens if your AD is breached? Have a disaster recovery plan in place so you can take swift action in these moments of crisis. It’s also a smart idea to regularly backup your AD configurations.
Get Automated: Automated AD workflows can save you hours of time. Take tedious tasks off your plate by automating activities like onboarding and ticket management. Automation is especially helpful when it comes to putting proactive maintenance measures in place. Standardizing and streamlining practices in this way allows you to minimize the number of mistakes that can happen as a result of human error.
Assist from Afar: The reality is, many of the devices and servers you oversee are spread across buildings, towns, and even state lines, national borders, and other continents. Set up remote management systems that allow you to troubleshoot technical issues, like locked user accounts or replication errors, without leaving your desk. This will make you and your team more efficient.
Stay Alert: It’s important to have your finger on the pulse of your network. Active Directory monitoring tools, as we discussed, are essential for this. They give you a comprehensive view of your forests so can keep an eye out for security threats and easily troubleshoot technical issues. Take monitoring a step further and create custom alert thresholds that offer real-time notifications when something is not quite right. The earlier you can catch a problem, especially those that can put your entire security at risk, the better.
Choosing the Best Tools for Active Directory Security
It can be hard to keep up with all of the Active Directory best practices out there. Luckily, you don’t have to go it alone. There are countless software, platforms, and services to help you navigate this complex environment.
Here are a few of the most common:
Permissions Analyzers: This tool helps you quickly and easily figure out what rights and access groups someone is assigned. Simply enter the user’s name and the software will provide a hierarchical view of effective permissions & access rights, allowing you to quickly identify how each user gained their rights. Think of this as your bird’s eye view of your security groupings.
Access Rights Managers: Implementing an access rights manager can help you manage user permissions, ensuring access capabilities are in the right hands and providing you with a way to monitor the overall activity of your AD. These tools also come equipped with intuitive risk assessment dashboards and customizable reports, making it easy to demonstrate compliance with regulatory requirements, such as GDPR, PCI DSS, and HIPPA.
Monitoring Platforms: Server and application management software allows you to quickly and easily get a snapshot of the overall health of your directory, while also providing ways to dig deeper into domain controllers. You can use these platforms to create custom alert thresholds and define what’s normal for your server, thus avoiding alert fatigue. They make staying ahead, and taking action, extremely simple.
Remote Software: The moment you implement a remote access tool, you’ll wonder how you ever survived without it. This type of software is designed to help you solve issues, fast, from anywhere and everywhere. With remote access, you can gain control of computers while a user is logged in, giving you an inside look at the issues they’re experiencing. This gives you a better picture of the problem at hand.
Automation Managers: These tools are pretty straightforward and often include a “drag and drop” scripting interface to create repeatable processes. Do you have many tasks that need to be performed on a regular basis? An automation manager will allow you to roll these tasks up into a “policy” and then set up a schedule for this policy.
What Attacks Can Active Directory Help Prevent?
As you can see, Active Directory is a central tool for managing a number of business security functions. There are, in fact, some common attacks that good Active Directory practices could help prevent. Watch out for the following issues:
Pass-the-Hash: This attack has been around for over a decade. Despite the fact that it’s one of the most well-known, it has still managed to do its fair share of damage. With pass-the-hash, an attacker extracts a hashed (shorter, fixed-length value) user credential to navigate their way into a remote server. Put simply, if an attacker makes it through using a pass-the-hash tactic, there’s a weakness in your authentication process.
Brute Force: Elementary-level, yet effective, brute force involves an attacker using random usernames and passwords in rapid succession to gain access to your system. What are the chances of hacker success using this method? More than you’d think. Attackers who practice brute force use advanced programming to attempt trillions of combinations in seconds.
The Future for Active Directory
Whether it’s to up your security game, help you become more efficient, or, in many cases, achieve both, putting Active Directory best practices in place is an essential part of any IT strategy. From monitoring platforms to remote access software, there are dozens of tools out there to help you through the process. Choose what you need to streamline your workflow, ensure security, and ultimately improve both IT operations and user experience.
Yes and No. Email is a highly valuable tool that has evolved to be more secure, but there are still ways to exploit email for nefarious purposes. Email users should be careful with how they use email and the emails they respond to. Let’s look at email security in more detail.
A Little History
Electronic mail originated on the early experimental Arpanet, the precursor to the Internet. At that point, all the interconnected servers were within high-security facilities. Since the security was on the outside, researchers did not consider protocol security; everything was sent in clear text – HTTP for browsing documents, FTP for sharing data files, and SMTP for electronic communications. When the Arpanet opened up to universities and then to businesses and private users, those same protocols were still transmitting data and passwords in clear text. Unfortunately, clear text communications are susceptible to man-in-the-middle attacks – corrupted computers or routers between the two computers in communication.
The early Internet was not secure, so new technologies were developed to improve security:
HTTPS to secure online transactions involving credit cards
SFTP to secure file transfers (now replace by HTTPS in many cases)
TLS to encrypt email communications between email servers
With the adoption of TLS, Transport Layer Security, email was secured from potential man-in-the-middle attacks. However, there are other ways to exploit email.
Alternate Technologies
There were other technologies that attempted to “secure” email communications, all had various degrees of success, but none of them have really gone mainstream.
PGP, or Pretty Good Privacy, used a Public-Private encryption key system to encrypt and decrypt email. Email was completely secure in transit, and from administrators, but unfortunately, PGP was bulky to use. TLS solved the problem of securing communication between servers without the user needing to do anything.
“Secure” Email Servers are web servers where communication could be secured behind a password protected web login. It was not really email but a way to communicate in an email-like fashion. You often see these secure communications websites with Legal and Medical professions, but they suffer from bulky interfaces and the inconvenience of going somewhere other than your normal email applications to view the communication.
Sender Verification Services respond to an unsolicited email with an email demanding the sender verify their identity. The goal here is to reduce the potential for spam and phishing attempts by creating a hurdle for senders to jump. The inbox provider then only passes on “verified” email to the user. This technique essentially removes any automated email, including newsletters, as marketing teams are unable to monitor the verification email. The downside is that a legitimate sender may not register so you miss important email.
The Threat of Spam and Phishing
Email is the #1 preferred method for perpetrating online scams. The marginal cost of sending an email is negligible and the rewards for a successful scam can be thousands or millions of dollars. According to Cisco, approximately 84% of all email is spam, much of which is phishing scams and much also escaping spam filters. By that measure, email is not “secure”.
“Securing” Email
Improving email security is not a single technology or vendor but involves changing business processes, adopting new standards and continuously adapting to the ever-evolving landscape of email scams. Some recommendations:
Stop hosting your own email – Inbox providers like Google Workspace, Microsoft 365, Yahoo!, etc. have dedicated teams to managing and blocking spam and phishing. Most businesses would benefit by leveraging these external experts and outsourcing email inbox services.
Turn on 2-factor authentication – Securing email communication, both sending and receiving, means securing access to email accounts. 2-Factor Authentication helps make email more secure.
Invest in Spam and Phishing Awareness Training – Email scams exploit human weakness through social engineering to gain access to your email, bank accounts and secure data. Training your team to recognize these scams will improve your email security.
Leverage DMARC and supporting technologies – SPF, DKIM, DMARC and BIMI work hand-in-hand to 1) declare who can send email on behalf of a domain, 2) digitally sign email from that domain, 3) report compliance to the sending domain, and 4) apply a corporate logo to compliant email. When a domain leverages these technologies, it is secured against being used in spam and phishing attempts and gives the recipients peace-of-mind that the email is genuine.
To maintain the highest levels of email deliverability using DMARC, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center. Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:
Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
Gradually move your DMARC policy to Reject to enable better inbox placement opportunities.
Manage the on-going requirements of maintaining high levels of email deliverability
On-Premise Email Security Best Practices
If your company strategy requires on-premise email management, then there are some best practices you can adopt:
Use Inbound Email filtering gateways – Out of the box inbound filtering either software or hardware will block most threats using threat detection algorithms. Basic gateways block blacklisted senders. More advanced options allow you to write your own acceptance policies.
Create Advanced Acceptance Policies – Your business is unique. Threats come in many forms. Maybe you want to filter all incoming image files or executables or maybe eliminate objectionable terms associated with risks. Sophisticated algorithms might help protect your business.
Accept only DMARC compliant email – One great idea that Google has pioneered is prioritizing DMARC compliant email. If you do the same, you dramatically reduce the potential for fraud and phishing emails making it to your users.
Setup Outbound Email filters – You do not want to become a source of spam, so setting up filters to control outbound email will reduce the risk of being blacklisted or of sending spam emails within your network.
Setup Advanced Outbound Policies – Advanced policies could include forcing the legal team to encrypt all outbound email or prevent emailing large files, executables, etc. Leveraging advanced policies will help make using email more secure.
Setup DMARC for all outbound email sources – Adopting DMARC for all your outbound email sources will help you protect your sending reputation and reduce the risk of your domain names being used in spam.
Invest in Spam and Phishing Awareness Training – As mentioned above, when employees are trained to recognize spam and phishing attempts, they are less likely to click on dubious links in spam and phishing attempts or click on and install malware.
While email was not initially designed with security in mind, new technologies are improving the security posture of email. Adopting these as they arise makes your business more secure and protects your users, clients and partners.
Live chat is big right now – and the numbers behind its adoption prove why. Recent research from Kayako, which surveyed more than 400 consumers and 100 businesses, found that:
Consumers are more likely to remain loyal, engage in positive word of mouth, and spend up to $500 extra per month with businesses that provide effortless live chat experiences.
Over half of consumers (52%) are more likely to repurchase from a company that offers live chat support.
79% of businesses say offering live chat has had a positive effect on sales, revenue, and customer loyalty.
The bottom line? Live chat offers huge potential benefits, whether you’re a big-ticket B2B company or a transactional ecommerce retailer.
But with so many options on the market, which should you choose? First, let’s look at what you can expect across most live chat tools. Then, we’ll explore 19 Best Free Live Chat Software out there, along with the features that make them different.
Live Chat: Standard Software Features
Knowing what’s commonly available from live chat programs makes it easier to differentiate one option from another.
To that end, here are some common features you’ll find across most live chat software programs:
The ability to customize the appearance of your live chat window to your company’s branding.
The ability to set “office hours,” during which you have live agents available to chat (vs. a lead capture window that allows visitors to send you their questions for a future response).
Triggered display, which makes it possible to display your chat window only on certain pages or in response to certain visitor actions.
Basic lead capture capabilities.
Chat history and basic chat analytics.
As a note, although these features are available on live chat programs, the extent to which they’re implemented may vary across free and paid plans. Chat history, for example, might be limited to just a few days or weeks on free plans, while longer histories of up to a year may be available by upgrading to the same program’s paid plan.
With that in mind, let’s take a look at our 15 favorite free live chat software programs:
HubSpot launched their free live chat tool as an integral part of their free CRM. This makes it an excellent choice for a growing business because, first off, you won’t have to spend tons of time and money integrated different systems and piping your data into a different place. It just happens automatically. Second, it allows you a full view of your visitor and customer communications as well as contact property data of those you chat with (giving you an edge in terms of context).
Because it’s tied so tightly to the HubSpot CRM you’ll know exactly who you’re chatting with and their history, be it a prospect, long time customer, or new contact.
The whole live chat system is built on their Conversations product, which is like a free, collaborative inbox that the whole company can use to collaborate on incoming messages.
Deals, tickets, and more can be spun up from live chats and transcripts are stored on the contact record in the CRM.
The targeting capabilities are limited, at least on the free setup. However, if you pay for HubSpot’s Marketing Hub, you can do some pretty interesting and robust things with their automation workflows (similar to what you can do with Intercom, Drift, etc.)
LiveAgent launched a free live chat tool as an integral part of their free help desk software. The software is ideal for small to medium-sized businesses across all industries. Using the software, you can chat with customers in real-time, while viewing and managing important customer information. All of your live chat conversation transcripts will be saved in the form of a ticket, so you can review what was said to your customers as needed.
Apart from enabling users to chat with customers in real-time, the free software also offers free ticket management, CRM, call center, and knowledge base functionality. In essence, it’s your one-stop-shop for all of your customer service needs.
LiveAgent’s free live chat software is also fully customizable, as well as language adaptable. It’s also the fastest performing live chat widget on the market, enabling you to convert potential buyers into paying customers in seconds. LiveAgent offers 24/7 support, as well as ready to use Android and iOS apps for customer service on the go.
Like many of the live chat tools featured here, Crisp uses chat windows to support customer messaging and feedback gathering. What’s unique, however, is what you can do with this data after it’s captured.
Companies with longer sales cycles, for example, will enjoy the ability to send drip marketing campaigns from the program, based on data gathered by Crisp. The program’s sales pipeline automation tools will also appeal to those with sophisticated sales programs.
Another interesting feature: a status monitoring system that alerts customers to outages as they’re detected. SaaS companies that promise certain uptimes may benefit from these proactive communications.
Acquire live chat solution help you to engage with your visitors and customers at the most critical point of their journey. Use of AI-driven assistance mechanism automatically interprets common customer queries and resolves them without involving your service agents. Send behavior based auto messages to garner engagement.
Reduce understanding barriers as any input by your customers is assisted with a “Smart Suggestion” feature which helps the customers to easily express their concern without having to worry about terminologies.
Empowers the agent to resolves complex issues in the first interaction with co-browsing. The agent can literally take control over the customer’s browser and give visual cues by engaging in a two-way interaction.
JivoChat offers a robust onmichannel business messenger that enables sales and support teams to connect with users via live chat, phone, email and social media channels.
The live chat application provides a single point of record for support and sales reps. Agents receive all chats, emails, and calls in a single, easy-to-navigate window, which enables faster response and resolution times.
The platform offers a host of features that can be used to improve communications with website visitors, including automatic triggers, callbacks, detailed visitor information, CRM integration, and easy connections with other chat tools such as facebook messenger and WhatsApp.
JivoChat is used by over 285,000 websites, and with a 4.7 star rating, is the top-rated mobile support app at the App Store.
Designed to provide great customer support through live chat, LiveSupporti gives users the ability to assign messages to different groups (for example, your sales or customer service teams), as well as to view a “sneak peek” of visitors’ text as they’re typing in order to provide faster support.
Like Tawk, LiveSupporti uses geolocation features to enable agents to provide targeted support. Advanced visitor statistics also improve the service experience by showing agents which pages they’ve visited, how long they stayed on a particular page, their browser, their operating system and their device.
Unlike many of the other systems mentioned here, LiveSupporti offers an “Infinity” plan that can be locked in for unlimited agents for a one-time fee. If you anticipate using live chat for a long time, across a large team of agents, LiveSupporti’s one-time fee may turn out to be cheaper than ongoing subscription charges.
5. LiveZilla
Website: livezilla.net Price: Free – 1100€ lifetime fee for unlimited operators and bots (details) Free Option: Yes, 1 operator or bot included
Like other programs described here, LiveZilla offers three core features: live chat, visitor monitoring and user ticketing.
A few things that set it apart, however, include its development based on open source technology, as well as its data privacy features (especially important to EU companies that must be GDPR compliant).
6. Rocketbots
Website: rocketbots.io Price: Free – $99/month (details) Free Option: Yes, up to 1,000 messages per month
Rocketbots straddles the line between live chat tool and CRM. Not only does the program integrate with multiple messaging apps – including Facebook Messenger, WeChat, Slack and Kik – it captures the information gathered on these platforms to facilitate more effective messaging.
Rocketbots calls itself a “self-learning system,” stating that it includes an “AI that learns from your conversations and suggests the replies you’ve already used when similar inquiries come up later. The more conversations you have, the smarter it gets.”
Because the program offers a free trial with no credit card required, it’s worth a look if you’re looking for a more advanced chat system that spans multiple platforms.
7. Userlike
Website: userlike.com Price: Free – 299€ per month (details) Free Option: Yes, includes 1 operator, 1 chat widget and unlimited chats
Userlike is an all-in-one software for live chat and messaging support that enables you to chat with your customers right from your website or via popular messaging apps like Facebook Messenger, WhatsApp, SMS and more. It’s designed to support ongoing conversations with customers so that when a customer contacts you again, chat agents can see previous conversations and continue where they left off.Their free plan includes unlimited chats and one chat widget. With their paid plans, you can unlock features like widget customization, chatbots, analytics and integrations with other business tools.For companies based in Europe, Userlike makes data privacy a top priority– it’s hosted in Germany and is 100% GDPR compliant.
8. onWebChat
Website: onwebchat.com Price: Free – $8/month/operator (details) Free Option: Yes, up to 100 chats per month
onWebChat may not be as feature-rich as some of the other options, but its lightweight construction offers one key benefit: it claims to not affect site speeds on the sites where it’s installed. Given that more than half of website visitors will leave a page that takes more than three seconds to load, site speed should be a vital consideration when choosing a live chat program.
That said, onWebChat’s minimalist approach doesn’t mean your visitors’ experience will suffer. Besides its core chat features, onWebChat offers the ability to easily toggle between multiple chats, as well as a visitor history viewer that’s visible to agents during chat sessions.
9. Pure Chat
Website: purechat.com Price: Free – $79/month (details) Free Option: Yes, unlimited live chat for up to 3 users or operators
A straightforward program, PureChat offers the simplicity of tools like onWebChat alongside more advanced options, such as its ArtiBot.ai lead capture bot.
The free version of the program makes past chat transcripts and canned responses available, while paid plans add real-time visitor analytics and SMS messaging capabilities. Detailed setup guides are available for popular platforms at all subscription levels.
Live chat is just one part of ZenDesk’s larger suite of customer support tools, so it’s most effective in practice if you plan to buy into the company’s larger product ecosystem.
If you do, you’ll enjoy access to triggered conversations and live chat analytics, as well as the ability to integrate with everything from websites and mobile apps, to popular messaging apps like Facebook Messenger and LINE.
11. ClickDesk
Website: clickdesk.com Price: Free – $39.99/month (details) Free Option: Yes, for up to 10 users and 30 chats
One notable feature you’ll find on ClickDesk that you won’t find on many other live chat programs is video chat functionality, which makes it possible to offer face-to-face support to your customers.
On top of that, ClickDesk guarantees 99.95% uptime, in addition to providing users with a popular help desk option and integrations with commonly-used social media programs.
12. Smartsupp
Website: smartsupp.com Price: Free – $23.75/month/agent (details) Free Option: Yes, for up to 3 agents
Smartsupp is a smart choice for ecommerce sellers, given the program’s integration with popular shopping platforms, as well as video recordings of users’ website activities to facilitate easier support experiences.
As an added bonus? If you’re a pro user and you happen to drop by the team’s office in the Czech Republic, they’ll treat you to a complimentary shot of local Slivovica brandy.
13. Zoho SalesIQ
Website: zoho.com/salesiq Price: Free – $129/month (details) Free Option: Yes, for up to 2 operators
Like ZenDesk, Zoho’s SalesIQ live chat program is part of the larger Zoho ecosystem, which contains everything from CRM to sales-focused tools.
Users who sign up for multiple Zoho programs will get the most out of SalesIQ’s features, but even those who don’t will be able to enjoy automated visitor geolocation, lead scoring and sales team coaching features that allow team managers to understand the performance of individual agents.
Like other programs listed here, Chatra offers a multilingual chat widget that ensures agents are able to provide a great experience to all visitors – no matter where in the world they’re located.
Beyond this, users may be interested in Chatra’s screen sharing integration, as well as its outgoing webhooks, which make it easier to sync Chatra activities with other programs. Although both features are only available to paid users, they’re worth a look by any business that’s interested in maximizing the value of its live chat experiences.
HelpCrunch calls its live chat system a “smart customer communication platform” because it offers so much more than simple chat engagement. Beyond its ability to answer visitor questions, the system comes with built-in lead prequalification features and multichannel messaging opportunities.
Agents using the platform will benefit from tagging, assigning and merging features that simplify visitor conversation management. And a heads-up for smaller teams – these features and more are available for free to single-agent subscriptions.
Looking for a live chat system that ties directly into a CRM, a marketing automation platform, a help desk and more? Look no further than FreshChat – part of the FreshWorks 360-degree “customer-for-life” software suite.
In addition to its extensibility, FreshChat offers agents visitor context tools, which enrich chat conversations with event timelines, user information and data from visitors’ social profiles. It also makes a huge resource library available, ensuring every FreshChat user gets the most out of the popular platform.
17. Intercom
Website: Intercom.com Price: Free – $153/month (details) Free Option: Yes — Free trials for Business Messenger, Team Inbox, Outbound Messages
Intercom is the leading conversational relationship platform that helps businesses build better relationships with their customers through scalable messaging. Staying true to this goal, Intercom’s Business Messenger allows companies to chat with customers in real-time. With its app store of more than 100+ apps, the Business Messenger can easily integrate with other tools, making it infinitely customizable to whatever is most important to your business.
What makes Intercom stand out from competitors is the seamless way you can communicate with all your customers through one interface — whether it’s answering an email or an in-app message. The chat window also mimics apps that users use daily, making it easy and inviting for them to talk to a customer support rep.
Another interesting Intercom feature are the triggered automated campaigns that you can create based on a particular event or user behavior. For example, if a repeat visitor looks at a page a number of times, you can start a direct conversation with them, whether it’s automated or in real-time.
All-in-one website chat (boosted with chatbots) might be all you need to engage your website visitors in real-time, capture leads and create personalized offers on the spot. It goes by the name of Tidio Live Chat.
With Tidio you easily address questions and concerns of your customers, build customized chatbots and track your visitors behaviour – from the moment they land on your page. Tidio offers a free plan (forever) equipped with all important features to help you run a successful eCommerce business. It’s one of the most innovative and affordable solutions on the market. Tidio can also be integrated with most popular eCommerce platforms, as well as Zapier and other third-party apps.
Though Tawk doesn’t offer the same level of sales automation features as Crisp, those with simpler live chat needs will appreciate its “always free” option and its promise of one-minute installation.
Once set up, Tawk’s ticketing system, ability to localize greetings and messages based on visitors’ location and trigger-based engagement make it a great choice for providing site and customer support. The option to hire live agents through the platform for just $1 an hour may also be appealing to companies that want to provide a higher level of personalized support.
:max_bytes(150000):strip_icc():format(webp)/google-public-dns-4deb7e959ce34bdb9f2b9fe13d0a56a0.png)
:max_bytes(150000):strip_icc():format(webp)/quad9-public-dns-server-5c2e8a3bc9e77c0001bc4eec.png)
:max_bytes(150000):strip_icc():format(webp)/opendns-public-dns-server-5c2e8add4cedfd0001ad596c.png)
:max_bytes(150000):strip_icc():format(webp)/1-1-1-1-cloudflare-5c2f640cc9e77c0001039c49.png)
:max_bytes(150000):strip_icc():format(webp)/cleanbrowsing-public-dns-servers-5c2f69ce46e0fb00016399a7.png)
:max_bytes(150000):strip_icc():format(webp)/alternate-dns-d6966c0ade6d45dd9b0b33b790a70dc4.png)
:max_bytes(150000):strip_icc():format(webp)/adguard-dns-5c521551c9e77c0001d764b3.png)
Recent Comments