I don’t know how little snitch does it, but iirc our old fortinet at the office caches the DNS response for logging, so that no extra reverse dns requests are needed (and if there isn’t a cached one, you have to explicitly ask to look it up when looking at the logs)
From a quick look in opensnitch, it should be tracking DNS replies in UDP packets.
I don't see it filtering the responses, so spoofing hostnames or even overloading the translation table (memory exhaustion) might be possible, even for network attackers.
If the app resolves two hostnames (e.g. useful-serivce.cloudprovider.com and malware.cloudprovider.com), that are both at the same ip, and then connects to that ip, which of the hostnames it connects to?
Without sniffing Host header (for http) or SNI (for TLS pre-ESNI), it is just a guess.
