A destination list is quite literally a list of internet destinations that can be blocked or allowed based on the administrative preferences for the policies applied to the identities within your organization.
A destination is currently defined as an IP, a URL or a fully qualified domain name. URLs can only be in Block lists and IPs can only be in Allow lists.
This article briefly outlines what is or isn't acceptable to be added to a destination list.
What you can add
1. Fully qualified domains and subdomains. The protocol is not required. If you wish to block all subdomains of a domain, add the top level domain name as exampledomain.com
If you wish to only block a subdomain, add the subdomain as subdomain.exampledomain.com
2. IP addresses can be added to an Allow Destination only. These can only be IPv4 and cannot include ranges like /29 or /16 or subnet masks like 255.255.255.0. An example would be 100.100.101.250. However, this feature is currently in Limited Availability and may not be available for all users.
What you cannot add
1. You cannot add URLs to an Allow list. To Allow a URL, simply allow the domain instead.
2. You cannot add wildcards. A wildcard is implicit in the way DNS is structured, so adding a domain covers all of the subdomains and there is no reason to add *.domain.com to cover this.
3. You cannot add IP addresses to the block list, and unless you are one of the customers given the capability to allow IP addresses, you may not be able to add IPs in any list.