More often, I'm finding the need to permit outbound access to an FQDN that can have a few to several IP endpoints (ie a service that itself leverages multiple services to host its platform and or CDN).
Permitting based on an FQDN has had its own host of issues. Most of our internal servers do not use the same DNS as our perimeter firewall - therefore the DNS lookups will mismatch. The DNS A record request is almost always going to return just a single IP, so the more IP's in the pool the more likely you'll end up mismatching.
I was curious to know what's regarded as current best practice? Is everyone still defining a list of IP's and altering as needed?