Starting today, you can enable Route 53 Resolver DNS Firewall to automatically skip the inspection of domains included in a domain redirection chain, such as Canonical Name (CNAME) and Delegation Name (DNAME), thus avoiding the need to explicitly specify each domain from the chain in your Route 53 DNS Firewall rules when allow-listing domains.
Source:: Amazon AWS