NW policy to allow FQDN

i have an offline cluster and i need to allow this cluster to communicate with AWS SES service through nw policy
what is the best practice for it

We don’t have FQDN support, but are considering it. How do you expect the policy to work?

A) we (k8s) periodically resolve the name to as many IPs as DNS returns, and policy those. Disadvantage: we might not get ALL the IPs (DNS can return a subset).

B) we (k8s) intercept all your DNS traffic, and when we see a request for a policied FQDN we apply policy to the DNS response “just in time”. Disadvantage: DNS latency goes up with a new component in the request path.

C) something else?