Hi Vinnie,
Based on your statement, I assume that your ACOS device is in the path of all the outgoing traffic (at least for DNS queries). In this case, you might already have wildcard VIP, correct? If this is the case, you can redirect all the DNS request from internal to your private DNS by having tcp/udp port 53 associated with your private DNS as real-server/ service-group. It will be the simplest way (without using aFleX).
I’m not quite sure what exactly you want to achieve using CNAME based on the explanation above. If you would like to see some aFlex example for DNS_REQUEST event, please take a look the following pages that you may be interested in.
https://dev-a10wp.pantheonsite.io/index.php/forums/topic/block-dns-queries-with-class-list/#post-1327
https://dev-a10wp.pantheonsite.io/index.php/forums/topic/drop-certain-dns-queries-any-and-rd/
Hope this helps.