I disagree. Most HTTP configs I've seen use virtual hosts, which means that the correct Host header is the only way to get the server to send the request to the right site.
(When dealing with SSL, then things are different, because you can't authenticate the connection until you get the cert, you can't send data until the connection is authenticated, and the server can't give you the right cert until it gets the Host. Fundamental conflict, leading to one-IP-per-domain-name, or a pricey wildcard certificate. So in that case, the server doesn't care much about Host anymore, but you are still protected because the domain name that the browser sees has to match the one in the cert, or the browser gives you the OH NOES dialog. But I digress.)
It's not even necessary to check the HOST header. Simply use name-based virtual hosts and forbid access to the default virtual host. This denies access to simple drive-by bots that crawl IP ranges and others that request a HOST that isn't configured as a virtual host.
And yes I could easily create a CNAME record to do the same thing but you have to have a reasonable amount of knowledge to do so. Unlike this tool.