I am not the one that initially configured this server and am not an expert with DNS. I noticed that our Checkpoint VPN-1 Edge firewall is showing packets blocked from the IP address 192.168.116.1 on poert 137 for spoofed IP.
I looked under Forward Lookup Zones > ourdomain.com > domaindnszones, and found in addition to an A record for the IP address of this server, there are two other records, one for 192.168.116.1, and one for 192.168.153.1. These addresses appear to be the server itself, as when i type in \\192.168.116.1 in explorer i get the shares. When I ping this ip address from any other workstation it times out.
As far as I know, none of our devices are in the 192.168.116.x range, we use a 255.255.255.0 subnet mask. I figure I should delete these entries. Can anyone explain to me what these entries are intended to be for and why they might be there?
Note: these entries are alos in Forward Lookup Zones > ourdomain.com > forestdnszones
Also, these spoofed IP entires always seem to be after a request on port 137 from a VPN client (our vpn clients are on 192.158.254.x, 192.168.1.200 is our server)
2008-09-30 19:15:28 Local7.Info 192.168.1.99 2008 Sep 30 18:16:12 00:08:da:72:ef:60 <50000> Decrypted Inbound packet (Custom rule) Src:192.168.254.24 SPort:137 Dst:192.168.1.200 DPort:137 IPP:17 Rule:5 Interface:WAN (Internet)
2008-09-30 19:15:34 Local7.Info 192.168.1.99 2008 Sep 30 18:16:18 00:08:da:72:ef:60 <50000> Dropped Outbound packet (Spoofed IP) Src:192.168.116.1 SPort:137 Dst:192.168.254.24 DPort:137 IPP:17 Rule:-4 Interface:LAN