At this point we're probably going to go ahead and pre-load a few inidividual hostnames in wikimedia.org that are more-critical while the longer process plays out for the rest of it. We can't touch donate due to ongoing issues to resolve there. My short-list to get the most-important ones locked down would be just these:
meta - This gets hit a ton during browser access to other wikis, for things like banner campaigns, gadgets, etc
login - To protect CentralAutoLogin -related hits here
commons - Because it's a major wiki and again indirectly referenced a lot
payments - Doesn't even have an HTTP listener on port 80 and fairly critical
The first three all have .m. variants in DNS, although login.m doesn't seem to get real traffic in practice? Could just remove that one instead of pointlessly preloading it if so.
We'll need to address the bad www subdomains in meta and commons first as well ( T102826 )