How do Cloudflare's security features, such as WAF or DDoS protection, cause a 'DNS query refused' message?

Cloudflare's security features can cause a 'DNS query refused' message as a defensive measure. For instance, if the Web Application Firewall (WAF) detects suspicious patterns in a query or if an IP address is part of a known botnet or blocked by IP Access Rules, Cloudflare might refuse the query. DDoS protection can also throttle or outright refuse queries from IPs exhibiting characteristics of a distributed denial-of-service attack, preventing resource exhaustion on the DNS servers.