I have resolved the issue. As you (correctly) pointed out, I don't know how to spell challenge 
.
Is
192.168.7.20hosting your Pi-hole, and is that grep output showing itsdnsmasqconfiguration?
Yes, this is my Pi-hole and that grep output is showing its dnsmasq configuration.
I'm assuming you are experimenting with this configuration under lab conditions for learning or testing purposes.
I am using Smallstep's step-ca for an on-premises CA which supports ACME. It works very well and I use it for all of my internal applications behind Traefik Proxy. But, I digress.
Back to what my issue was with regards to this post. The resulting Target Domain from the CNAME record (that I have in /etc/dnsmasq.d/05-pihole-custom-cname.conf) was actually getting tagged by Pi-Hole's Audit Log. I had to go into the Audit Log and whitelist the target domain. Once I did that and learned how to spell challenge, my nslookup issue went away.
With that said, I'll mark this as resolved.