The Symantec Endpoint Protection (SEP) Smart DNS feature does not allow responses with a very long list of Aliases (CNAME). The issue was occurring with the login.microsoftonline.com DNS name from mid-November until November 29 2017. The response given by the DNS server for the lookup of this DNS name has since been changed, but the issue may potentially occur with other lookups.
When Smart DNS fails to recognize and allow a packet, it gets handled by the regular SEP firewall rules - if the packet is ultimately allowed or not depends on how these rules are configured to handle the traffic. Smart DNS will never block a packet, only allow it or leave it to be handled by the regular firewall rules.
A product fix has been released with the SEP 14.0 RU1 MP1 version.
CNAME chains long enough to cause the problem should generally be rare. In the login.microsoftonline.com case the chain was 8 names long, but the issue may occur with less steps if the names are longer.