Or be ok with filtering HTTP/TLS traffic based on the domain only, as that part isn't encrypted (the SNI [Server Name Indication]). OpenSnitch should be able to allow/disallow based on that, rather than having to decrypt the TLS part.
But still, you can probably correlate DNS requests with connections to IP addresses in many cases. Although if the program uses DNS over HTTPS (DoH) like several programs do now then the DNS record is also not known.
