As of slightly over a week ago, Drupal 8 permits you to hardwire in
settings.php not just the old
$base_url default, but a list of regular expressions which, if the incoming request domain doesn't match any of them, cause the server to respond to the browser with HTTP 500: effectively what looks to the world like a server error. This is in addition to the options of configuring your webserver layer to do the same.
What this means is that, once you've got the setting in place, people can't—maliciously or otherwise—request pages from your Drupal codebase, but spoofing a different domain name. This can potentially lead to poisoning of your cache or your cron. You can block this at other layers too, but blocking in Drupal can lead to more intelligent behaviour if you need it.
Locking down permitted domains is trivial: add the following configuration into settings.php:
$settings['trusted_host_patterns'] = array( '^www\.example\.com$', );
There's more detailed information on the D8 change record for this new functionality. Note that, if you're doing local development, you might get (temporarily) locked out of your site by the above configuration on its own. You should add another trusted host pattern for '^localhost$' in this case.
All of your options for blocking such requests are covered on this d.o documentation page on protecting against them, and I've just added the new D8 behaviour to the bottom of the page myself. Why not download the latest D8 beta and give it a try?