hmm its difficult what you request, and there is not really a one solution for this.
the best way to go is indeed via the dns route, but then again you have no control if netflix changes domain names and sub domain names.
if I needed to do something like this myself I would think of using ipsets via dnsmasq, this means all ips of domain x gets stored in a ipset which you then can use in the firewall rules of luci, in OpenWrt 23.5 and above they have support for ipsets via luci :), see luci → network → dhcp and dns settings → general settings, and in luci → network → firewall → ipsets.
and in the firewall traffic rules you also have support through it via the advanced tabs.
then you can make two traffic rules, one rule which allows all ips inside the ipset, followed with a rule which blocks all connections based on the src mac.
then you effectively make use of the priority and netflix and such will still work and devices not inside the mac src firewall rule still have full internet 