Resolving DNS, and dynamically selecting pool

The problem: Some LAN hosts are not permitted outbound access to the internet through the firewall, and yet, they need access to github.com. Unfortunately, github's published CIDR ranges are enormous (hundreds of CIDR ranges), and dynamic, so we can't just modify firewall to allow outbound access to a simple set of CIDR ranges. Also, github.com is extremely dynamic. If you resolve over and over, it comes back with a new set of IP addresses every few seconds. So our firewall, which supports DNS-based rules, is not able to support DNS-based rules for github.com. It's just simply too volatile.

The proposed workaround: Host a virtual server as a reverse proxy on a private IP address on the F5, which will use an iRule to query github.com, and TCP pass-thru traffic to whatever external IP address is returned. Local clients would have the F5 IP address hard-coded into /etc/hosts so all traffic for github.com will go to this local F5 IP address, and the F5 should pass-thru to an appropriate external IP for github.com.

The DNS query is easy enough in an iRule. The problem is pool selection. I assume I can't have an iRule dynamically create or modify a pool, right? I should be able to create a pool with a hard-coded set of IP addresses in it, but then it won't be dynamic at all, and we'll be prone to failure whenever github decides to change their IP addresses.

Any good ideas for possible solutions?

Thanks