Browser-Accessible Dns-Over-Https Json Querying (Cors-Enabled)

Issue 81 Edition 2026-03-22 4 min read

Not accepted General

Sources: 1 • Confidence: Medium • Updated: 2026-03-25 17:54

Key takeaways

Cloudflare's 1.1.1.1 DNS resolver provides a CORS-enabled JSON API.
Cloudflare's 1.1.1.2 resolver is positioned as blocking malware.
Cloudflare's 1.1.1.3 resolver is positioned as blocking both malware and adult content.
The author used Claude Code to build a UI that runs DNS queries against Cloudflare's 1.1.1.1, 1.1.1.2, and 1.1.1.3 resolvers.

Cloudflare's 1.1.1.1 DNS resolver provides a CORS-enabled JSON API.
The author used Claude Code to build a UI that runs DNS queries against Cloudflare's 1.1.1.1, 1.1.1.2, and 1.1.1.3 resolvers.

Cloudflare's 1.1.1.2 resolver is positioned as blocking malware.
Cloudflare's 1.1.1.3 resolver is positioned as blocking both malware and adult content.

What is the exact DNS-over-HTTPS JSON endpoint shape (URL paths, parameters) and what CORS headers are returned under normal and error conditions?
What are the rate limits, quotas, or acceptable-use constraints for calling the JSON API directly from client browsers at scale?
How do the malware and adult-content filtering resolvers signal blocking (for example, NXDOMAIN vs redirected answers), and how consistent is behavior across categories and time?
What is the provenance, availability, and reproducibility of the referenced UI (source availability, hosting, and whether it exercises the same API paths claimed)?
Is there any direct decision-readthrough (operator, product, or investor) that is explicitly supported by this corpus beyond the narrow point that browser-based DNS tooling may be feasible?

CORS enabled DNS over HTTPS JSON endpoints could enable browser native DNS diagnostics and monitoring tools without backend proxies, potentially lowering friction for security and networking SaaS features.
Resolver variants positioned for malware and adult content blocking suggest DNS layer policy enforcement via simple resolver selection, a potentially low effort control for consumer and small business deployments.

Documentation or testing shows stable DNS over HTTPS JSON endpoints with permissive CORS headers across normal and error responses, and predictable parameters and response shapes suitable for production browser use.
Published acceptable use terms or observed behavior indicates workable rate limits for client side browser traffic at meaningful scale, including guidance for high volume usage.
Empirical tests show consistent, well signaled blocking behavior for 1.1.1.2 and 1.1.1.3 across categories and time, with clear indication of blocked versus unresolved outcomes.

CORS headers are removed, restricted, or inconsistent, forcing most browser tools to use server side proxies and undermining the claimed browser feasibility.
Rate limits or terms prohibit direct browser at scale usage, or aggressive throttling makes client side querying unreliable for real applications.
Filtering behavior is opaque or inconsistent, with unclear signaling and high variability over time, limiting trust and usability for policy enforcement comparisons.