For anyone living in a Zero Trust Policy (deny all, allow some) operating exclusively with Allowlist (whitelist) Rules, Apple really does make it easy now to identify all the domains a given app uses.
Apple calls it the App Privacy Report, available since iOS 15.2.
You access it via Settings → Privacy (scroll to bottom) → App Privacy Report and after enabling it, each app shows all of the domains it contacts.
Let’s take a look at the iMessages app, for example on my iPhone:
It is several pages of domains, including many more p[xy]-content.icloud.com
However, since our Rules (lists) can include subdomains, for such a Rule, we can conclude that the domains required for iMessage to operate are:
apple.com
icloud.com
icloud-content.com
This same process can be followed for any iOS app to determine its domain names. Just because an app uses a domain, does not mean they are required. For example, many apps use trackers like Google-owned app-measurement.com which you definitely do not want to allow.
NOTE: In order to determine all the domains an app may require, it is most efficient to first place it in a policy of a Basic Blocklist where only known threats are blocked. Then launch the app several times and execute all required functions, in order to enrol all the required domains. Once all required app domains are allowed, place the device back into a Zero Trust policy.