Oh interesting. Firefox says it's both enabled and set to use 1.1.1.1, and I figured that nothing would resolve if it wasn't... but if https://1.1.1.1/help is correct then it's not actually working and something else is happening.
I know I tried setting and disabling that when I was testing but I saw no change. I don't remember setting 1.1.1.1 but I may have enabled DoH. I'll see if changing the DNS server in firefox to whatever everything else is using helps.
Edit:
It looks like Firefox just silently falls back to non-DoH system defaults if it's not working. Good to know, I guess. Not really sure what the point of DoH is if networks can just silently override the setting.
> Mozilla has announced plans to enable DoH for all Firefox desktop users in the United States in 2019. DoH will be enabled for users in “fallback” mode. For example, if the ___domain name lookups that are using DoH fail for some reason, Firefox will fall back and use the default DNS configured by the operating system (OS) instead of displaying an error.
> Not really sure what the point of DoH is if networks can just silently override the setting.
You can explicitly configure the browser to insist on DoH whereupon it's your fault if that doesn't work. But the defaults changed only to try to do DoH if they can.
"If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored."
Well I have already manually disabled and enabled it a few times and it still clearly always uses the fallback. So if disabling fallback is a setting, it's something beyond manually turning DoH on in the preference panel.
FWIW, I've only seen the issue you reported when resolving a Cloudflare hosted site through Cloudflare dns, with Firefox as the client. Refreshing multiple times seemed to work.
I haven't had the time to investigate it when it occurred; anecdata.
I have wondered if it's related to handing off from the CF balancer to the sites tls.
