There are all kind of nice features regarding TCP port randomization, however with these new DNS problems starting I'm curious about UDP port randomization, for DNS especially.

My internal recursive DNS servers were vulnerable to this new port randomization problem: http://tools.cisco.com/security/center/viewAlert.x?alertId=16183

I've taken the time to patch everything as I'm sure everyone else has, however the way the Cisco ASA translates UDP requests I get the feeling that either I've missed something or that there is still a problem when one uses PAT through a PIX or ASA (and probably other PAT devices.)

So here are some logs, as you can tell my newly patched DNS servers are doing the right thing and completely randomizing the source ports, and as you can clearly see my ASA is clearly negating every singe one of them. Obviousely this only happens when going through a shared 'global'. Am I missing something or is there no way to randomize UDP translations?

%ASA-6-302015: Built outbound UDP connection 1855997200 for outside:O.D.N.S/53 (O.D.N.S/53) to backside:192.168.22.10/64700 (I.N.A.T/27287)

%ASA-6-302015: Built outbound UDP connection 1855997201 for outside:O.D.N.S/53 (O.D.N.S/53) to backside:192.168.22.10/18132 (I.N.A.T/27288)

%ASA-6-302015: Built outbound UDP connection 1855997202 for outside:O.D.N.S/53 (O.D.N.S/53) to backside:192.168.22.10/30062 (I.N.A.T/27289)

%ASA-6-302015: Built outbound UDP connection 1855997203 for outside:O.D.N.S/53 (O.D.N.S/53) to backside:192.168.22.10/7317 (I.N.A.T/27290)