[rotoole]

Aside from being easier to automate, getting IP's via the ASN lookup is also better for blocking HTTPS requests when you are MITM, since the HTTPS request will only contain the IP and not the FQDN.

Also, many firewalls do a 1-time DNS lookup of a given FQDN to resolve a single IP address when a FQDN based rule is created. This doesn't work well if you have an FQDN that can resolve to many different IP's, which is typical for cloud services.

[toast0]

TLS connections from browsers usually include the SNI extension that has the destination host name in clear text. It requires an TLS specific blocker, rather than IP firewalling, but is probably more flexible. You could also just block the names in DNS.