Atomicorp

How could we add all related A records of a domain to firewall rules?

Something like allow outbound on:

Name: db.us.big.clamav.net
200.236.31.1/32, 155.98.64.87/32, 194.8.197.22/32, 69.12.162.28/32, etc...

We can add the IPs once but if they change over time there's no way to automatically update them.

You can, but they arent really dynamic. What netfilter will do is resolve that domain to an IP when the policy is loaded, it wont change if the hostname changes unless you reload the firewall policy again.