Despite disabling most of Mozilla’s telemetry and other phone-home functionality (such as captive portal), I found that a fresh LibreWolf profile makes quite a few connections on first startup (see list below), and some repeating every startup. One in particular is persistent: that is to push.services.mozilla.com and can be disabled by setting the dom.push.enabled configuration to false (I personally don’t need push notifications in the browser; you can also set a custom URL).
What is particularly annoying is that some of these domains, related to “remote settings”, are essentially hard-coded and cannot be disabled by changing configuration parameters. I now block these three in my /etc/hosts file.
firefox.settings.services.mozilla.com
firefox-settings-attachments.cdn.mozilla.net
content-signature-2.cdn.mozilla.net
Helpfully Mozilla lists domain to allow so you can find more domains to potentially block.
Here is the list of domains LibreWolf connected to at startup of a fresh profile. Some are understandable, some less so.
addons.mozilla.org
firefox.settings.services.mozilla.com
firefox-settings-attachments.cdn.mozilla.net
content-signature-2.cdn.mozilla.net
services.addons.mozilla.org
gitlab.com
push.services.mozilla.com
ublockorigin.github.io
malware-filter.gitlab.io
raw.githubusercontent.com
pgl.yoyo.org
curbengh.github.io
malware-filter.pages.dev
cdn.statically.io
versioncheck-bg.addons.mozilla.org
cdn.jsdelivr.net
ublockorigin.pages.dev
publicsuffix.org
codeberg.org
I believe these two:
involves certificate expiration, so they are really important. But I could be wrong.