IMO, blocking by ASN / country / bad guys is complex, nearly useless and often causes trouble. If your plane is unexpectedly diverted to Minsk, your call to say you’ll be late shouldn’t be blocked because Belarus is on the bay guy list.
There are two kinds of attackers, those who scan every IPv4 address on the internet looking for vulnerabilities, and those who are attacking your system specifically.
For the former, hiding behind a ‘secret’ domain name is simple, nearly 100% effective, while never blocking legitimate access.
Though a domain name filter is not very useful against a targeted attack, neither is any sort of blacklist – the attack will surely be launched from a non-blacklisted address in the destination country.
Defense against targeted attacks requires a real security mechanism (VPN, client certificates, etc.)
IMO, the only common service that can’t be protected with a domain name filter is SSH. However, I don’t see much risk in using a strict whitelist for that – if you lose control of a cloud system or a VM, console access allows recovery. For on-site bare metal, you can ask someone present to enable your access.