This is impossible. iptables
control the Netfilter, which is an IP packet filter (a firewall) that acts on OSI level 3 and 4. DNS domain names are higher level (and somewhat orthogonal) thing than that.
You may control access to some IP addresses (L3) and TCP/UDP ports (L4) with Netfilter.
If you want to control access to web sites, you have the following options:
- resolve DNS name in advance, get IP addresses and put that into the firewall. AFAIK
iptables
is doing that itself when you give it a domain name; the thing it configures inside the Netfilter is resolved IP address for that name. When the owner of that domain decide to change IP address, your rule won't apply anymore. If there is more than one web site hosted on that server which has this IP address (i.e. there is a virtual hosting which hosts several names), you will either permit them altogether or disable them altogether. This is what you seem to be doing right now;
- a HTTP(s) proxy, which checks requested domain names and forbids access to some. Modern inventions like ECH (eSNI) will reduce your power down to only control access to IP ranges, as with plain firewall, because it makes it impossible for you to get out which hostname was requested;
- a DNS filtering, which configures which domains your recursive resolver will resolve for clients and which ones won't. Again, modern inventions like DNS-over-HTTP (by Cloudflare), will infer your power to do that, because your DNS server will no longer be responsible for resolving names and you can't possibly know which hostname was requested;
- A deep packet inspection (DPI). And again, modern Internet is clearly going towards disabling the possibility to inspect traffic by third parties.