You can check this with DNS Lookup tool on the about:networking page.

Thanks, I forgot to include that. I get NS_ERROR_UNKNOWN_HOST.

It's still not clear what the answers to my three points above are though. If it's not using DoH (TRR mode 0), it should just use normal DNS, in which case everything should be fine if curl is to be trusted. If it is using DoH (TRR mode 2), the query will fail as curl confirms, but it should fall back to a working DNS query.

There probably is some technical documentation on this, but to ruminate a bit...

With "Increased Protection" or network.trr.mode=2, the documentation says

We will only switch to a backup option if there are any issues with your chosen provider. See: Configure DNS over HTTPS protection levels in Firefox

Does this mean something different than what this mode did before? The older article said:

... DoH is enabled for users in “fallback” mode. For example, if the domain name lookups that are using DoH fail for some reason, Firefox will fall back and use the default DNS configured by the operating system (OS) instead of displaying an error. See: Firefox DNS-over-HTTPS

I don't know whether "issues" or "fail for some reason" means the host was not found by the trusted resolver, or that Firefox can't get a valid response from the trusted resolver. It could be a privacy problem to "leak" every typo'd host name to the local resolver.

Thank you for the clarification. These things still seem a bit loosely defined, but I think you may be right about "issues" covering more low level problems rather than the success of the resolution.

Two further issues/questions:

• it seems that on first startup of Firefox there is an inconsistency between network.trr.mode and the "GUI" setting in about#preferences, with the setting being "default" and mode 0, it says status active. However, if I change to increased protection (mode 2) and then back to default, it now says status off. All this is in the GUI, just checking about:config to see what's happening.
• Does Cloudflare (my DoH provider) have it's own DNS servers that perhaps my new registrar's info has not yet propagated to, or does it just forward my encrypted query to an actual DNS server? If it's the former, this could explain the behavior I'm seeing.

with the setting being "default" and mode 0, it says status active.

There is another setting doh-rollout.mode which takes precedence in "Default" mode. This only appears for certain regions where it is being default enabled and has the same mode values as network.trr.mode.

TRR-first (mode 2) is not strict by default (network.trr.strict_native_fallback) and will readily fallback on lookup failures and 1.5 second timeouts. A fallback reason is recorded which you can see at about:telemetry#search=TRR_SKIP_REASON.

https://firefox-source-docs.mozilla.org/networking/dns/dns-over-https-trr.html

Thanks for the help and information here. It turns out the root cause was DNS issues, specifically migration of a DNSSEC domain to a name registrar who did not support DNSSEC on their nameservers.