ASA FQDN access lists
At the time of this post, I had limited exposure to ASA 9.2 code and particularly using FQDN access-lists.
Essentially what you can do is create an object with the Fully Defined Domain Name (FQDN) of a domain nested within. You can create multiple of these and place them inside a single object-group to keep things tidy (and you should!).
As the hosts hit the ASA, the ASA will do a DNS lookup with the FQDN hosts listed within your object’s and permit traffic from only that A record/CNAME inbound. This can be used to allow access to cloud services which change their A records often.
Below is visual example showing the DNS query performed by the ASA, and the access-list showing hits on the fqdn.
ASA# show access-list inside_in access-list inside_in; 4 elements; name hash: 0xd3a8690b access-list inside_in line 1 deny ip any object obj-hr88.cisco.com access-list inside_in line 1 deny ip any fqdn hr88.cisco.com (resolved) access-list inside_in line 1 deny ip any host 10.32.2.4 (hr88.cisco.com) (hitcnt=10) access-list inside_in line 1 deny ip any host 10.32.2.3 (hr88.cisco.com) (hitcnt=35) access-list inside_in line 2 permit ip any any (hitcnt=12022)
Have a read more in the below article for some further insight; Pretty cool stuff!
Sources: ASA FQDN access-lists Part 1 | Network Inferno – Using Hostnames (dDNS) in Access Lists