ah forgot about ECH
* https://blog.cloudflare.com/encrypted-client-hello/
what's weird is my ancient version of chrome passes ECH
but my Firefox ESR does not have ECH and I cannot figure out how to turn it on in about:config, googling fails me
wait! found it, 3rd times the charm
network.dns.echconfig.enabled
set to TRUE = ECH enabled, passes test