Finally achieved empty tcpdump starting Firefox. Had to find and clear location.services.mozilla.com and push.services.mozilla.com from show-all in about:config. Then there were the following that are hard-coded, not appearing in about:config, for which /etc/hosts needed to be invoked:
firefox.settings.services.mozilla.com content-signature-2.cdn.mozilla.net prod.remote-settings.prod.webservices.mozgcp.net content-signature-chains.prod.autograph.services.mozaws.net
FFS do better.
It seems the location.services.mozilla.com probe is otherwise there, even if you turned off location access for websites, so that Mozilla can impose region-specific policies on the browser based on where it thinks you are according to geoip.
This is based on finding it under browser.region.
What are the chances they're using this to disable something privacy-invasive if geoip says you're in the EU?
@dalias Aren't they activiting dns over https (DoH) towards cloudflare (and others) outside EU? https://support.mozilla.org/en-US/kb/firefox-dns-over-https
@aslakr IIRC yep, it could be for that.