How do you build an irule to drop connection (without completing the handshake)

Of course, using more intelligent DNS handling would avoid this issue :)

There's an option on TCP profiles called 'Verified Accept' which could help though. Here's the snippet from the online help:

Specifies, when checked (enabled), that the system can actually communicate with the server before establishing a client connection. To determine this, the system sends the server a SYN before responding to the client's SYN with a SYN-ACK. When unchecked, the system accepts the client connection before selecting a server to talk to. This setting is not compatible with iRules. The default is unchecked (disabled).

Make sure you're running the latest hotfix for your version as there have been some recent fixes with this feature.

Another option would be to disable ARP for the entire virtual address if the pool is down. Here's another post on this:

https://devcentral.f5.com/questions/f5-vs-always-responding-to-ping