The docs really aren't that clear, but my understanding is that, if you use "dns_based", that you have to provide some form of DNS load balancing and direction outside of Check Point.
So you are technically correct, that MEP will hand out all IPs to the client in the trac_client.ttm file. But then you have to update the ttm file on all gateways to reflect the new IP address and install policy on each of them.
Is there a way to configure DNS resolution _and_ MEP? And before anyone says that it's a security risk because "you can't trust DNS", isn't that the whole point behind the fingerprint verification that the client does? The client doesn't trust the IP address either. I already have DNS entries and public trusted certificates on my gateways for MAB.