DNS Policies are not properly resolving CNAMEs in Zone Scopes if the Query Resolution Policy includes the NE operator for Client Subnets
Solution 1:
The expected behaviour is : For CNAME/DNAME/ADDITIONAL SECTIONS • For each part of a chained response, the policies must be applied all over again. The criteria of these policy will be matched against the values in the original query (e.g. TimeOfDay, Client subnet etc.) except for QTYPE and FQDN. • If any of the policies used in the chain result in a DENY/IGNORE, the DNS server must send the partial response to the client if available. The Deny/Ignore will apply only for that FQDN or zone.
I think the results are expected.
Kumar Ashutosh [I designed DNS Server Policies]