This is your guy: https://www.alphastrike.io/
In their own words:
Alpha Strike Labs are a security consulting company specialized in
industrial security and advanced security assessments. Based in Berlin
and Vienna, we pride ourselves on offering high-end professional
services in various areas of Cyber Security.
Do I need to be concerned?
In short, no. But nowadays most DNS servers are configured to deny zone transfers, because that makes reconnaissance of your infrastructure a bit too easy. On the other hand, this is not secret information. A good chunk of your zone can be reconstructed from indirect methods like scanning your IP range and doing reverse DNS.
Why do they transfer the localhost zone?
Generally speaking:
An entity that can enumerate your zone can figure out all the hosts you have declared, and there are legitimate reasons for this: research. A number of outfits such as Internet security companies probe the Internet for research and statistical purposes. A very common example is measuring the market share of Internet software vendors like web or mail servers.
That could have been a search engine too. They have to use every trick to discover, craw and index new hosts that would otherwise go unnoticed.
Bottom line: any machine that is exposed on the Internet is going to be probed all the time, and not all probes are malicious.
But the interesting question here is: why do they transfer the localhost zone specifically ? Normally the zone looks like this:
localhost. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
localhost. 604800 IN NS localhost.
localhost. 604800 IN A 127.0.0.1
localhost. 604800 IN AAAA ::1
localhost. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
So I am not sure what kind of juicy details (internal hostname ?) they are expecting to find here. You could contact them directly and ask. A legitimate company should not be ashamed to explain why and how they are probing your systems.
Why is this transfer successful? (*)
AFAIK this is allowed by default in Bind. You can deny AXFR on a per-zone basis or globally. To disable it globally you could add this entry: allow-transfer {"none";};
in named.conf
. If you have slave name servers that sync with a master using AXFR, then whitelist their IP addresses or range. Otherwise zone transfer can be safely disabled as there is no reason to expose your zone to the whole world.
See allow-transfer