the dot "." in a DNS query is not represented as a character, but as the length of the string that follows. For example www.google.com is queried as
0x03 w w w 0x06 g o o g l e 0x03 c o myou can easily allow/block DNS queries by matching the domain names with --hex-string. In your case:
-m string --algo bm --hex-string '|06 676f6f676c65 03 636f6d|' -j ACCEPTwill accept every DNS packet containing ".google.com".
I often use this technique against the DNS query amplification attack.
source: DNS RFC 1035
