yes, thats actually because we have something called DNS alg enabled. with the alg enabled, once firewall sees the dns response, the session will be aged out. if you disable the alg, the session will behave like a normal udp session which gets aged out after 1min or will still get refreshed if there is more traffic passing through the session.
note that the purpose of the alg was to give speedier refresh times for dns sessions especially if you have alot of dns sessions.
you can disable the alg either:
i) globally on the cli:
unset alg dns en
ii) via the policy with something like this:
set pol id 3 from trust to untrust any any DNS permit
set pol id 3 application-ignore
Message Edited by WL on 07-09-2009 09:18 AM