It's something completely different.
With TLS host, there's hostname in packet (as part of SNI) belonging to connection, so when it arrives, it's easy to match "something.example.net" against "*.example.net".
Address list resolves given hostname to IP address, which is then used by firewall. It also watches TTL and resolves the hostname again, when it's about to expire. It's clearly impossible to make this approach work with wildcards, system would have to try to resolve all names that "*" can stand for, so it would be combinations of "a-z", "0-9", "_", "-" for 1-63 characters. That's a lot of combinations.
Trying to synchronously get hostname when when first packet for some address arrives is impossible too. Not only it would kill router's performance, but there's no clear 1:1 mapping from IP address to hostname.
Only way I can imagine it could work would be if DNS cache would check hostnames against the wildcard and would update address list, if it found some. But unlike TLS host, this would not be reliable, because there's no guarantee that client used router as resolver.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.