What is the proper way to block entire TLDs using iptables?

With new TLDs being approved like .zip that could be extremely malicious, it seems prudent to have the ability to block entire TLDs on tap. What is the proper way to do this in iptables?

iptables (and ip6tables) functions on a layer of the OSI network model which does not have any concept of a DNS name -- it deals with IPv4 addresses (and ip6tables deals with IPv6 addresses), as @vidarlo says. But, let's say you wanted to ignore that. And it's actually quite simple.

All you need to do is, on every connection attempt, perform a reverse DNS lookup against the IP address which iptables/ip6tables encounters, before it decides whether to allow the connection or not.

However, there are significant problems that emerge:

1. Performance. Performing such a lookup on every connection will absolutely murder any performance you would otherwise expect on that interface. You probably don't want that, so you could set up a caching DNS server, but that leads into two other issues.
2. CDNs exist. Just because Cloudflare or AWS or Digital Ocean is serving up an IP address for the microsoft.zip domain right now does not mean you'll get that IP address the next time you do a lookup. And additionally, if you decide you're going to block the entirety of Cloudflare/AWS/Digital Ocean because they allow for .zip-hosted domains, well. Good luck.
3. Reliability. In order to get the DNS name from an IP address, you need to perform a RDNS lookup, as I mentioned above. But there is absolutely no requirement for anyone to provide A or AAAA records. Which means that if you do a RDNS lookup for an IP address, it doesn't have to return any results in the .zip gTLD (or, it could return some Cloudflare/AWS name instead). And while we've all seen the big lists of domain purchases, what you won't get is any subdomains. So someone may buy amazon.zip and you may assume that they'll create aws.amazon.zip or s3.amazon.zip or www.amazon.zip, but you won't actually know until you do a lookup. And the answer may change, without warning; the only way to know for sure what subdomains exist is to be the domain owner or the registrar.

So what you're left with is that you need to create some method of finding out what .zip domains exist, then find out what IP addresses those domains use, then find all possible subdomains those domains are using, then manage a database of domain/IP/TTL and keep it updated, and then allow iptables/ip6tables to read from that (but you'd probably be better served with something like Snort or Suricata).

See? Simple.

While I hope the detailed answers are helpful for anyone else approaching this the wrong way like I did in explaining why the question is flawed, if you're looking for an answer, it depends on your network configuration. In my case I am using dnsmasq, and I found this post helpful in achieving my goals:

https://stackoverflow.com/questions/46796156/dnsmasq-block-top-level-domain-extension

You can't block the whole TLD by using iptables. Domain name and IP addresses are two different naming approaches. You can block access of high risk IP addresses using iptables.

If you have another firewall, you can block the access to all URLs end with .zip.