Sargon wrote:I don't understand what you mean with "LS uses the IP address rather than names". If LS tells me that "SoftwareUpdateCheck wants to connect to b.scorecardresearch.com", where does "b.scorecardresearch.com" come from? It's not the reverse lookup, because the reverse lookup is "a212-101-4-213.deploy.akamaitechnologies.com".
You are correct, it's not done with reverse lookup. I suggest you read about this in Littlesnitch Help; what I know is in there and said better than I can.
My current rule is to allow outgoing traffic to the whole apple.com domain - which covers all hosts listed in your linked Apple support page. But this is not enough, because "b.scorecardresearch.com" is outside this domain. And I'm reluctant to allow this domain (among others) for SoftwareUpdateCheck to work.
No, this should work because the IP addresses are the same. Perhaps some detail is different between the Allow rule and the connection request - port, protocol, requesting process or location?