I'm not even sure this would be a problem in practice? If you just use the system's resolver, this already takes TTL into account and will answer from its local name service cache if possible?You could try to resolve lists say every 10 minutes and feed the resolved IPs in firewall tables. You could try to increase the frequency and run into problems that processing takes too much time.
Host name resolution and interface to address translation are done at ruleset load-time. When the address of an interface (or host name) changes...the ruleset must be reloaded for the change to be reflected in the kernel.
I did exactly that (imagine, I mean), and the first name that came to mind is, well, firewalld!one could imagine a separate daemon keeping that updated based on names