Are you sure you understand DNS well? Separation by hostnames located on the same IP address makes sense for HTTP - you can configure different request processing depending on the Host header.

What does "only through a specific domain" mean?
Those. that it was impossible to be connected, already knowing IP of the server, but not knowing the domain?
I doubt. In the HTTP protocol, the server name is transmitted in the headers, in HTTPS it is transmitted first through SNI, then in the headers, but in ShadowSocks ... they threw out the analysis of the SNI extension not so long ago. So most likely ShadowSocks is in a drum how the user found out the IP - through DNS or something else.
And most importantly, why? What scenario requires this?

What does "through a specific domain" mean? And why do you need this, I understand that this is a protective measure - a protective measure from what, from whom?

the firewall does not work with domain names, it only works with ip
something like this (an example far from applied)
allow the passage of packets from addresses 888.888.888.888 range mask 24
iptables -A INPUT -s 888.888.888.888/24 -j ACCEPT
discard all packets from other addresses
iptables -P INPUT DROP