Hmmm.... well before I banned the IP, I saw that it had re-established from 10.12.0.1 to 255.255.255.255 on UDP port 67. After I banned it I rebooted my firewall and I see a connection on UDP 67 from on my my ISP's DNS servers. An nmap scan shows the exact open/closed/filtered ports running, so I'm guessing that 10.12.0.1 was one of my ISP's DNS servers???
If so, then why would it appear as a 10.12. addy???