Hopefully address lists will support regular expressions on a future release. FYI to the other members, adding a CNAME to the addess list seems to add dynamic entries for all associated A record IP addresses.
It doesn't seem likely that there will ever be regex support in this feature because of how it works.
Whenever you define a hostname in an address list, the router immediately performs a DNS lookup on the name you specified, and all IP addresses returned by the DNS server are added as dynamic IP entries in the list, with timeouts set the same as the TTL returned by DNS. In other words, the IPs cannot live in the list for any longer than DNS....
Ok, so far so good, but why can't you use regex here?
It has been best practice for at least as long as I have been in the industry (since the 90s) to deny anyone having access to read your entire zone - in other words, DNS is like that children's card game "go fish" - clients may ask any name they like, and the DNS server will give the answer if it has one, or else say "not found" (i.e. 'go fish'). You can't just say "give me all of your cards."
So you can't say to a DNS server - give me every possible name you have that ends in google.com
So when you specify a regex, that's essentially what you're doing....
Another complication is that reverse DNS doesn't necessarily match forward DNS. Since the packet filter table is dealing in packets and IP addresses (not names), it doesn't know what name may or may not map to a certain IP address. Take the famous 184.108.40.206 public DNS server at Google.... I could go into my own DNS server, and set a host name "silly.dns.server.example.com" and resolve that to 220.127.116.11 How would the firewall know that I had typed "ping silly.dns.server.example.com" to generate ICMP echo requests to 18.104.22.168?
One thing that could be done is to snoop DNS and if any DNS replies contain hostnames which match your definition, then the IP addresses contained in those DNS responses could be added to the address list.... This could be worked around by clever clients though - if they know which hostnames are going to be used and a valid IP to go with them, they could just place these hostnames into their local hosts file and bypass the DNS snooping. Or they could use DNScrypt, or VPN.....
In the end, blocking outgoing user activity is a never-ending battle. Like Princess Leah told Governer Tarkin: "The more you tighten your grip, the more star systems will slip through your fingers."