See “Enter 22.214.171.124” section on this post: https://blog.cloudflare.com/announcing-1111/
>We talked to the APNIC team about how we wanted to create a privacy-first, extremely fast DNS system. They thought it was a laudable goal. We offered Cloudflare's network to receive and study the garbage traffic in exchange for being able to offer a DNS resolver on the memorable IPs. And, with that, 126.96.36.199 was born.
Cloudflare and APNIC seem to both assume the traffic is going to now hit cloudflare. Trying to block everything but DNS makes no sense at all; how can/should ISPs be keeping track of which services someone chooses to run on their IP address?
Edit: Turns out Cloudflare aren't just running DNS; they're hosting a http/s webpage with instructions on how to use their DNS too, so you've gotta hope people aren't filtering: https://188.8.131.52/
Cloudflare sends so much data out that they probably want to get more sent to them so things balance out. The more garbage traffic, the better! :)
I'm totally out of my bailiwick here, it can't be that simple, can it?