The "Allow" directive of the "User" section should allow host and domain names in addition to IP addresses.
Currently not possible in znc (dont ask why).
Also, this is a bad idea. $EVIL_PERSON could just set his own PTR record to whatever a wants and use that for bypassing all your security. Checking the IP address directly is more secure.
Wouldn't it be better for ZNC to lookup the "Allow"ed domain's record once (or on every connect attempt), and use that IP, rather than checking the client?
The reason I suggested it's because I'm on a dynamic IP address where even the number of the first block can vary, so I'd be as well setting "Allow *" and to me that seems like it defeats any possible security of the allow feature anyway...