← Glossary / Cloudflare Error 1002 (Restricted)

What is Cloudflare Error 1002 (Restricted)?

Cloudflare Error 1002 (Restricted) occurs when a Cloudflare-proxied domain resolves to a prohibited IP address, such as a local loopback or another Cloudflare edge node. While technically a DNS misconfiguration, sophisticated targets increasingly use dynamic origin rewriting to route identified bot traffic to null IPs. For scraping pipelines, encountering a sudden spike in 1002s often means your fingerprint has been flagged and you are being silently blackholed.

CloudflareDNS RoutingNull RoutingWAF RulesError 1002

// 02 — definitions

The silent
blackhole.

Why a DNS error is often a disguised anti-bot mechanism, and how targets use prohibited IPs to drop your requests.

Ask a DataFlirt engineer →

TL;DR

Error 1002 means the edge node tried to fetch content from an origin IP it isn't allowed to talk to. While it can be a genuine target outage, scraping pipelines usually see it when a Cloudflare Worker dynamically alters the origin address for suspicious requests, effectively null-routing the scraper without spending compute on a CAPTCHA or 403 page.

01Definition & structure

Cloudflare Error 1002 occurs when a request reaches a Cloudflare edge node, but the DNS record for the target origin server points to a prohibited IP address. Cloudflare maintains a strict list of IPs it will not proxy traffic to, including local loopback addresses (127.0.0.1), private network ranges, and other Cloudflare proxy IPs (to prevent infinite routing loops).

When the edge node attempts to fetch the content and sees a prohibited IP, it immediately terminates the connection and returns the 1002 error page to the client.

02How it works in practice

In a standard web environment, a 1002 is usually a mistake. A site administrator might accidentally point their DNS A record to a local IP during testing, or point a CNAME to a domain that is also proxied by Cloudflare, creating a loop.

In a scraping context, however, it is frequently used as an aggressive defense mechanism. Instead of serving a standard block page, targets use edge compute to dynamically rewrite the origin IP for requests that look like bots, sending them to a prohibited IP and forcing the 1002 error.

03The Worker Null-Route tactic

Targets implement this using Cloudflare Workers and the resolveOverride property. When a request arrives, the Worker checks the cf.botManagement.score. If the score is below a certain threshold, the script overrides the DNS resolution for that specific request to 127.0.0.1.

This is highly effective against scrapers because it mimics a site-wide outage. Basic retry logic will simply back off, assuming the target is down, rather than rotating proxies and fingerprints to bypass the block.

04How DataFlirt handles it

We treat 1002 errors with suspicion. When a pipeline encounters a 1002, our orchestrator immediately fires an out-of-band probe to the same URL using a pristine residential IP and a high-trust browser fingerprint. If the probe succeeds, we know the 1002 is a targeted WAF block.

The orchestrator then flags the current session as burned, rotates the proxy ASN and TLS fingerprint, and resumes extraction. This ensures we don't pause pipelines for fake outages.

05Did you know?

Cloudflare wraps the 1002 error in a standard HTTP 403 Forbidden status code. If your scraper only logs HTTP status codes and doesn't parse the response body or the specific cf-ray headers, a 1002 null-route will look identical to a standard WAF block or a CAPTCHA challenge in your metrics dashboard.

// 03 — the routing logic

How dynamic
null routing works.

Targets use Cloudflare Workers to evaluate request entropy. If the bot score is too high, the worker overrides the origin IP to a prohibited address, triggering the 1002.

Worker Origin Override = if (cf.botManagement.score < 30) { origin = "127.0.0.1" }

Forces a 1002 error by pointing to loopback. Common WAF pattern

Error 1002 Probability = P(1002) = WAF_rule_match × Dynamic_Origin_Enabled

Spikes when targets deploy new Worker-based defenses. DataFlirt pipeline heuristics

DataFlirt Recovery Time = T_detect + T_{rotate_fingerprint} < 45s

Automated session rotation upon 1002 detection. Internal SLO

// 04 — edge worker trace

Triggering a 1002
via bot detection.

A simulated trace of a Cloudflare Worker intercepting a request with a bad JA3 hash and rewriting the origin to a prohibited IP.

Cloudflare WorkerBot ManagementNull Route

edge.dataflirt.io — live

CAPTURED

// inbound request
cf.ray_id: "8a4f9b2c1d3e4f5a"
tls.ja3_hash: "b32309a26951912be7dba376398abc3b" // known scraper

// worker execution
worker.route: "api.target.com/*"
cf.bot_score: 12 // likely automated
action: "override_resolve_override"
resolve_override: "127.0.0.1" // prohibited IP

// edge resolution
dns.target: "127.0.0.1"
dns.status: PROHIBITED_IP

// response to client
http.status: 403 Forbidden // Cloudflare wraps 1002 in a 403
cf.error_code: 1002
cf.error_message: "DNS points to Prohibited IP"

// 05 — root causes

Why you're seeing
Error 1002.

While sometimes a genuine target misconfiguration, sudden 1002 spikes in a previously healthy pipeline indicate active defense. Here is the distribution of 1002 causes across DataFlirt's monitored targets.

SAMPLE SIZE · · · · 1.2M 1002 errors

WINDOW · · · · · · 90d trailing

UPDATED · · · · · · 2026-05-19

01

Dynamic null routing (WAF)

intentional · Worker rewrites origin for low bot scores

02

Target DNS misconfiguration

accidental · Site owner pointed CNAME to Cloudflare IP

03

Stale DNS cache in scraper

client-side · Scraper resolving old, prohibited edge IPs

04

Rate limit tarpitting

intentional · High RPS triggers temporary origin rewrite

05

Cloudflare internal routing

infrastructure · Rare edge node resolution failure

// 06 — pipeline resilience

Treat 1002s as blocks,

not as target downtime.

When a target goes down, you back off. When a target null-routes you, you rotate. DataFlirt's telemetry engine distinguishes between global 1002s (the site is actually broken for everyone) and targeted 1002s (only your fingerprint is getting null-routed). If our residential probes can reach the site but the datacenter workers get a 1002, we immediately classify it as a WAF block and rotate the TLS fingerprint and proxy ASN.

Error 1002 Triage Event

Live telemetry from a pipeline encountering sudden 1002 errors.

pipeline.id ecom-pricing-eu

error.code CF_1002

probe.datacenter 1002 Restricted

probe.residential 200 OK

classification targeted_null_route

action rotate_ja4_and_asn

recovery.status pipeline_restored

Stay ahead of the pipeline

Data engineering
intel, weekly.

Anti-bot shifts, scraping infrastructure updates, dataset delivery patterns, and business outcomes from our pipelines. Short, technical, no fluff.

// 07 — FAQ

Common
questions.

Common questions about Cloudflare Error 1002, dynamic origin rewriting, and how to recover your scraping pipeline.

Ask us directly →

What exactly is a 'Prohibited IP' in Cloudflare? +

Cloudflare prevents edge nodes from proxying requests to certain IP ranges to avoid infinite loops and abuse. Prohibited IPs include local loopback addresses (like 127.0.0.1), private network spaces (RFC 1918), and Cloudflare's own proxy IPs. If the DNS resolves to one of these, Cloudflare drops the request and serves a 1002.

Is Error 1002 always an anti-bot block? +

No. It is frequently a genuine mistake by the site owner, for example, pointing a CNAME record to another Cloudflare-proxied domain incorrectly. However, if you only see 1002s on your scraper traffic while your browser loads the site fine, it is an intentional null-route deployed via Cloudflare Workers.

Why would a target use a 1002 instead of a standard 403 or CAPTCHA? +

Cost and stealth. Serving a managed challenge or a custom 403 block page consumes edge compute and bandwidth. Rewriting the origin to 127.0.0.1 via a lightweight Worker script is computationally cheaper and confuses basic scrapers that assume the target is simply down.

How does DataFlirt handle sudden 1002 spikes? +

We run out-of-band probes using pristine residential IPs and high-trust fingerprints. If the probe gets a 200 OK while the main pipeline gets a 1002, our orchestrator flags it as a targeted block, rotates the session attributes (IP, JA4, headers), and retries. If the probe also gets a 1002, we pause the pipeline and alert the client of target downtime.

Can overriding DNS locally fix a 1002 error? +

No. The 1002 error is generated by Cloudflare's edge node failing to resolve the origin server, not your scraper failing to resolve Cloudflare. Local /etc/hosts changes or custom DNS resolvers in your scraper won't bypass an edge-side routing restriction.

Does rotating my proxy IP bypass a targeted 1002? +

Only if the Worker rule is strictly IP-based. Modern Cloudflare Bot Management rules that trigger null-routes are usually based on the overall bot score, which factors in TLS fingerprints (JA4), HTTP/2 framing, and header order. You must rotate the entire fingerprint, not just the IP.

$ dataflirt scope --new-project --target=cloudflare-error-1002-(restricted) READY

Tell us what
to extract.
We do the rest.

20-minute scoping call. Pilot dataset within the week. Production within two. Whether you need a one-off catalogue dump or a continuous feed across millions of records — we scope, build, and operate the pipeline.

Start a pipeline → View pricing

hello@dataflirt.com · Bengaluru · IST · typical reply < 4h