I have a question related to how PIX/ASA firewalls maintain UDP session information. My understanding is that when there is a UDP connection from a lower to a higher security zone, the UDP server (e.g. DNS) in the higher security zone responds to the UDP query even if the outbound UDP is blocked (i.e. even if there is excplicit ACL blocking DNS traffic from inside to outside).
So, how would the FW track the different UDP sessions while UDP is connectionless protocol. I can understand it with TCP as TCP sessions have unique session numbers, but how is that dealt with UDP protocols?