A home-grown option we’re going to try is to build a dynamic IP address allow-list based on a list of approved host/domain names. We could run an overnight batch script to create a ‘daily’ IP address allow-list, and we could further improve that with a more frequent running script, e.g. hourly or half-hourly, to accommodate for changing IP addresses. We could even combine these IP address allow-lists for greater firewall inspection efficiency.

The NGFW’s you mention do this much better and in near-real time. But it’s an external purchase cost which we’ll have to justify, which we may do if the cost of building internally becomes infeasible. The leader in this DNS firewalling capability using a proprietary protocol called ‘dont talk to strangers’ is adamnet.works. I’m trying to make a case internally to explore their solution instead of building internally. They seem to have a subscription model which makes the solution really cost effective.