Given that you have no control over the target DNS and you want to have a very strict allow-list of things that you can connect to you're going to need to set something up that verifies the validity of your allow-list against the firewall.
For example: Have a list (probably external to DNS Firewall) that has all of the site/DNS records that are allowed. Look each one up. If it is a CNAME, find the record that is returned and add that to the list and therefore to the firewall as well.
You could do this manually, but far better to automate it.
Note that this isn't going to be perfect. Even if you run it at one minute intervals you may have some clients blocked as changes occur. And it's entirely possible that the web pages that users are reaching are going to have other sites that they link to so there is a larger problem here. Restrictive allow-lists are always going to be a lot more work to maintain than is originally thought.
Can you limit access to the AWS Console by Region using DNS and a local firewall?Accepted Answerasked 5 years ago
Can AWS Network Firewall allow traffic from an instance using its tags or some other metadataAccepted Answerasked 8 months ago
DNS Query from ec2 instance not hitting Palo alto firewallasked 9 months ago
AWS Route 53 A record shows up as CNAME in public DNS lookupsasked 4 months ago
Solved: Route 53 DNS Not Propagatingasked 7 months ago
Route 53 DNS Firewall - Wildcard / CNAME issueasked 9 months ago
Google DNS to Route 53 - DNS not propagatingasked 2 years ago
Multiple DNS Providers with Route 53asked 4 years ago
wildcard dnsasked 3 years ago
Wildcard subdomains in AWS AmplifyAccepted Answerasked 3 years ago