ACLs can operate on Network Access or App Tunnel or LTM+APM or Portal Access mode. Some of these modes have a soure/dest IP and sometimes it's not really relevant.
ACL evaluation comes after ACCESS_POLICY_COMPLETED. Between ACCESS_SESSION_STARTED and ACCESS_POLICY_COMPLETED, iRule flows actually are triggered from Client -> APM Renderer, so the source/dest won't make a lot of sense there. After the Access Policy is done, and the session is in "Allow" state, then all assigned ACLs are processed as normal.
What exactly are you trying to ACL? It's pretty flexible, there should be no need to come up with any funny tricks like DNS lookups, etc.