Nftables - Filtering traffic at IP addresses level based on relevant domain name

I see, okay

As I've succesfully got Netflix only access for my TV with the above approach (with the use of nft set) I want to share something that wasn't completely clear to me at the beginning.

As starting point to get the list of domains to whitelist you enable the DNS logging, preferably on an external device via UDP messages. While looking for the domans that the TV will try to access, you cherrypick the ones that looks legitimate and include in the list of allowed ones.

Many domains will return a Canonical Name (CNAME), so the DNS log will look like:

query exampledomain.com
reply exampledomain.com CNAME cnameforexampledomain.com
query  cnameforexampledomain.com
reply cnameforexampledomain.com is at 192.168.1.101 (it will of course be not a private address as this one).

My mistake was to include in the allow list cnameforexampledomain .com instead of exampledomain .com

At least dnsmasq 2.89-4 doesn't process within the nft set the CNAME related queries, but instead it process the main domain (exampledomain .com) and the relevant CNAME.