BTW, shouldn't we de-cloudflare Firefox 70?
It has DNS-over-HTTP(s) enabled and set to cloudflare DNS servers without any fallback.
On NixOS we could set them to config.networking.nameservers or something less vendor locky

I am absolutely in favor of that. I'd like to see an approach where we supply an enterprise policy that disables it.

Seems the other solutions documented here (probing for a canary domain, security.enterprise_roots.enabled) don't really apply, so enterprice policies might be the way to configure this.

According to their docs, this could be accomplished by adding a policies.json file into a distribution folder below the "installation directory". I didn't strace yet where our firefox looks for it.

The appropriate policy would be DNSOverHTTPS, and an example json is documented here: https://github.com/mozilla/policy-templates/blob/master/README.md#dnsoverhttps

This also allows pointing to another DoH server, if sb. wanted to do that.

If we do this, we probably want to point firefox to look for that in the wrapper, so policies can be redefined without having to recompile firefox-unwrapped

Changing to staging because its not uncommon to get regressions due to sqlite.
(Note, however, that staging will anyway move to staging-next now so it won't matter...)

.mil-domains won't be resolved from Russia and Iran

For now, Firefox should only default to Cloudflare in "North America", besides displaying some opt-out dialogue, and the default resolver can prevent this anytime by blocking a canary domain. At least that's what I remember from discussions in relevant IETF places; I haven't investigated details of the defaults.

I'm certainly not a fan of Mozilla choosing this weird combination of defaults, and we could disable that in nixpkgs somehow (perhaps later). But in any case, the "war" is primarily about the masses who have no idea about DNS, and I don't think in our case the default applies to that many people.