Restricted guest network for older mobile devices

Hey guys!

I've set up an isolated guest network for an older tablet we'd like to use just for Netflix. I am considering locking down the firewall to allow only the Netflix and Google (for Google Play) IP ranges, but they seem rather big, so not sure how effective that really is.

Does anyone have any tips on how to approach this best? Router is a dualcore MIPS MT7621, if that matters.

Thank you!

dnsmasq-full has support for ipset which allows you to get an ipset with all IP addresses used by for example *.google.com, etc.

Thanks, it looks like Unbound has similar ipset support and I'm already using Unbound, so I will look into that.