What you need is not routing, but proxying.
All A-records point to 172.23.45.34, and then the web server on this machine, depending on the Host header, proxies the request to one of the backends. It is configured by regular means in any modern web server.

If for Web applications, then one of the best options is to use nginx on a gateway with the following configuration: Pros: + If you SUDDENLY want to transfer an application, for example app1, to hosting, then there will be no problems, this can be done transparently. + You are completely untethered from physical location + If suddenly one of the applications is too loaded, you can run it on several machines and use balancing, caching, and other goodies of nginx. Cons: - All of the above is only for http
server{
listen 80;
server_name app1.domain.com;
location / {
proxy_pass 10.0.0.1:80;
proxy_set_header Host $http_host;
}
}
server{
listen 80;
server_name app2.domain.com;
location / {
proxy_pass 10.0.0.2:80;
proxy_set_header Host $http_host;
}
}
server{
listen 80;
server_name app3.domain.com;
location / {
proxy_pass 10.0.0.3:80;
proxy_set_header Host $http_host;
}
}


Addition: By the way, the above method with nginx does not conflict with the above DNAT via iptables at all. It is easy to configure dnat to forward port 80 inside the local network to the input of nginx.

Create a subdomain, in its A record specify your internal ip (at least localhost) and that's it. Through any hosting control panel it is possible

The principle of operation is simple - take 3 more external IPs from the host for the domain.com host, register them in A records of subdomains and from them traffic (all or a specific protocol / ports) is allowed to internal hosts. But, in my opinion, this makes sense only if you need to ensure that there is no access to internal hosts from the outside except for what is explicitly allowed and are ready to neglect reliability for this: if domain.com falls, subdomains will also fall. It’s easier, in my opinion, not to bother with a single entry point and give everyone an external address if you don’t have balancing and other things.

For your task, if it is acceptable to use different ports, then it is better to proxy by ports. Although it all depends on what kind of application. For http - by headers, ftp - no way (with one ip).
If the protocol of your application passes the domain, then over it.

as if the call goes by ip to your server, and if the protocol does not provide for the transfer of the host name, then there is no way to determine where the client wants to go. HTTP passes the DNS name in its header.
If you still need routing of your protocol, then I think it's better to either wrap it in HTTP, or write a proxy module, hoproxy, for example.