We're more exposed to DNS problems with this design, but that is also deliberate. Be sure to acknowledge this, maybe even point to DNSSEC. Then, be sure to say that this doesn't really change things from ordinary HTTP, where the DNS is able to deny service or route clients to a server instance of their choosing. The defenses here are relying on TLS for authority, which also includes protocol choice. The choice of port remains something that an attacker can choose, without protection, but that is still a problem even without this design.
We're more exposed to DNS problems with this design, but that is also deliberate. Be sure to acknowledge this, maybe even point to DNSSEC. Then, be sure to say that this doesn't really change things from ordinary HTTP, where the DNS is able to deny service or route clients to a server instance of their choosing. The defenses here are relying on TLS for authority, which also includes protocol choice. The choice of port remains something that an attacker can choose, without protection, but that is still a problem even without this design.