The Entrust IP addresses used revocation checks are dynamic and globally load-balanced, because of this Entrust cannot provide a set of Static IP addresses.
1. Inclusion list the FQDN's listed below:
2. Proxy the CRL requests to a server in DMZ.
Request to crl.entrust.net would be directed to a proxy server which has internet access. Proxy server downloads the CRL.
Implementation details are dependent on the hardware/software available to execute this setup.
3. Host the CRL internally.
Please check the below link from entrust for more details