The DNS-over-TCP implementation in Cisco IOS 12.2 and 15.0 through 15.3, when NAT is used, allows remote attackers to cause a denial of service (device reload) via a crafted IPv4 DNS TCP stream, aka Bug ID CSCtn53730.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-nat