Is it possible to do the equivalent of a domain-name allow rule using a firewall plus a DNS server working together as follows?

A script keeps reading the DNS logs. Every time the script sees a successful DNS lookup, it generates a firewall allow rule for the associated IP. All other IP's the firewall blocks by default. The DNS server is configured to only allow look-ups to a whitelist of domain names.

So no other IP can be accessed, only what the DNS server returns when the domain name is in the whitelist.

Will this work, is it possible?

Erm... why?? As nice an idea as it might seem to you, don't. I can't imagine this could ever leave you in a happy place. If you already have a whitelist, why not just convert that into rule directly? What kind of rules are you adding? Per source IP? that would get really out of hand quickly. There will be a better way to achieve your original goal, I'm sure. Like a decent web proxy.

Because the other way to whitelist domains, using squid or other proxies, would need too much memory so the VM it would run on would not leave space for the other 3 or 4 VM's that are required at the same time.

I do not yet, but the firewall rules would be per-destination IP (this is for parental control initially, more uses to follow). Where the IP's are known in advance to be associated with youtube.com, yahoo.com and anotherdomain.com, say.

But youtube.com does not have just one IP. Even the list of IP's it has is variable. So domain-name rules are required instead. Firewalls cannot do such rules, so why not dynamically give them the per-IP rules they need, in response to DNS server lookups? There are even floppy linuxes that can run a firewall and a DNS server on 24 MB of ram.