DNS over HTTPS in Firefox

Apparently Firefox's implementation has both a soft fail and a hard fail DoH mode. In hard fail, too bad, you wanted DoH, the name you asked about is NXDOMAIN (or no records) according to the DoH resolver, so, this site isn't reachable.

In soft fail, after it gets a negative response over DoH, Firefox tries your default OS resolver. This means /etc/hosts entries, "split brain" private DNS entries and so on will work after that happens.

I can see there'd be split brain scenarios where this doesn't do what you want (e.g. the public Internet sees one server, which requires a separate multi-step authentication, but the private Intranet offers a different IP address for the same name, and on that server it uses, say, Windows authentication or a company SSO solution). But I suspect those are comparatively rare.