Whether or not you have to add DCs to an account's "Log on to..." restriction, is entirely 100% dependent on the app that will be using it and whether or not that particular app sends the source workstation name in the logon request or if it just sends the IP without a workstation name. If it sends the just the IP, then the source workstation field gets populated with the DC's name, which is why the DC's have to be added to the "Log on to..." restriction. This is most commonly encountered with non-Windows appliances/systems, like NetScalers for example.
Below is an example Security event ID 4625 for a logon attempt from a netscaler appliance using an account that did not have the DCs added to it's "Log On To..." restriction's list of accounts:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 1/27/2014 9:22:36 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: AD01.mydomain.com
Description:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: AD01$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: netscalersvc
Account Domain: MYDOMAIN
Failure Information:
Failure Reason: User not allowed to logon at this computer.
Status: 0xc000006e
Sub Status: 0xc0000070
Process Information:
Caller Process ID: 0x260
Caller Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: AD01
Source Network Address: 192.168.5.5 <- NetScaler's IP, not AD01's IP
Source Port: 64015
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0