Description
Summary:
Some applications don't use typical DNS mechanisms to resolve domains[1], and so their IPs are not mapped by OpenSnitch.
Reverse DNS on all destination IP addresses is not practical or reliable, however a user's rules will only have a finite amount of domains/hosts listed. Each of these could be queried through DNS, and re-queried regularly according to the TTL. These mappings would also be cached along with the existing method of inspecting user application DNS query responses, and the same policies applied as normal.
This method is used in most commercial firewalls that employ whitelisting based on domains.
[1] Tailscale can use its own bootsrapDNS mechanism to request domain/IP mappings from a central server over HTTPS in certain scenarios. These of course are not registered by OpenSnitch, and domain-name based rules fail to match.