dst cannot be used for domains (i.e. anything that would need to be resolved via DNS).
You can only add hostnames here, which you have to define by specific IPs in a hosts section of the ACLs. So it’s really only static IPs.
Or alternatively, if the host you want to control access to has tailscale installed, then you could tag that host and use the tag to identify it (despite a changing IP).
Example with a hosts section (untested):
// Role-based groups of users.
"groups": {
"group:cs": [
],
"group:dev": [
"jhon.doe@xyz.com"
],
},
"hosts": {
"customhost": "123.123.123.123",
},
"acls": [
// the cs group can only access this IP (as defined by customhost) at port 443.
{
"action": "accept",
"src": ["group:cs"],
"dst": [
"customhost:443"
],
},