How to enable firewall for wildcard and "DNS Only" record

Hi there,
I have a domain named “DOMAIN” and in Cloudflare dashboard I added these records in DNS tab:

A / DOMAIN / 1.2.3.4 / Proxied
*A / .DOMAIN / 1.2.3.4 / DNS Only

Now I want to block all request that are sending from a country that named “X”.

I added this rule in my firewall rules:

hostname does not equal DOMAIN
and
country equal X

action: block

when I check test.DOMAIN from X, it was available!

I added this record in DNS tab:
A / test.DOMAIN / 1.2.3.4 / Proxied

Firewall worked.

Then I changed the record to:
A / test.DOMAIN / 1.2.3.4 / DNS Only

Firewall did not work.

I think firewall does not work for “DNS Only” records, and I either do not want to use “Proxied” record and can not enable that for wildcard record in free plan.

Do you have any solution for me?
I just need to block all request from a country for wildcard subdomains in “DNS Only” mode.

Thank you

Edit of records:

A / DOMAIN / 1.2.3.4 / Proxied
A / *.DOMAIN / 1.2.3.4 / DNS Only

This is not currently possible. For most Cloudflare features to work the DNS must be :orange:.

You would need to block the request on your origin server. In DNS only mode the connection from a user to the server occurs directly, Cloudflare can’t block a request it does not see.

Correct. You could explicitly define the hosts your origin supports instead of using a wildcard and use :orange: records where appropriate to block requests which are proxied by Cloudflare.

If a record is “Proxied” then it goes through Cloudflare, if it’s “DNS Only” then it can bypass Cloudflare and doesn’t proxy through Cloudflare