diff --git a/playbook.yaml b/playbook.yaml
index 15d5d15..59364f5 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -217,11 +217,24 @@
         name: "*"
         state: latest # noqa: package-latest
     # Install a policy file to force Firefox to use encrypted DNS
-    - name: Create Firefox DNS policy
-      ansible.builtin.template:
-        src: templates/policies.json
-        dest: /etc/firefox/policies/policies.json
+    - name: Create Firefox DNS policy, line 1
+      ansible.builtin.lineinfile:
+        path: /usr/lib64/firefox/defaults/pref/autoconfig.js
         mode: "644"
+        create: true
+        line: lockPref("network.trr.mode", 3);
+    - name: Create Firefox DNS policy, line 1
+      ansible.builtin.lineinfile:
+        path: /usr/lib64/firefox/defaults/pref/autoconfig.js
+        mode: "644"
+        create: true
+        line: lockPref("network.trr.url", "{{ dns_server }}");
+    - name: Create Firefox DNS policy, line 1
+      ansible.builtin.lineinfile:
+        path: /usr/lib64/firefox/defaults/pref/autoconfig.js
+        mode: "644"
+        create: true
+        line: lockPref("network.trr.custom_uri", "{{ dns_server }}");
 
 # Generally speaking, I try to install Flatpak applications at the user level
 # b/c that really gives more credence to the whole sandboxing idea (concept of
diff --git a/programs/firefox.nix b/programs/firefox.nix
index 9512b83..89f2267 100644
--- a/programs/firefox.nix
+++ b/programs/firefox.nix
@@ -237,6 +237,9 @@
           "extensions.formautofill.addresses.enabled" = false;
           "extensions.formautofill.creditCards.enabled" = false;
           "extensions.autoDisableScopes" = 0;
+          "network.trr.mode" = 3; # DNS over HTTPS always
+          "network.trr.uri" = "https://family.dns.mullvad.net/dns-query";
+          "network.trr.custom_uri" = "https://family.dns.mullvad.net/dns-query";
           "privacy.bounceTrackingProtection.mode" = 1;
           "privacy.clearOnShutdown_v2.browsingHistoryAndDownloads" = false;
           "privacy.clearOnShutdown_v2.cache" = true;
diff --git a/templates/policies.json b/templates/policies.json
deleted file mode 100644
index 72f87f5..0000000
--- a/templates/policies.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-  "policies": {
-    "DNSOverHTTPS": {
-      "Enabled": true,
-      "ProviderURL": "{{ dns_server }}",
-      "Locked": true,
-      "Fallback": false
-    }
-  }
-}