Cloudflare’s account-level `enforce_dns_only` setting turns direct-to-origin failover from a theoretical fallback into a real operating mode. The risk is not the API call itself. It is whether your DNS, certificates, firewall rules, and origin capacity will hold up when Cloudflare’s proxy is suddenly out of the path.