diff --git a/netwerk/dns/nsHostResolver.cpp b/netwerk/dns/nsHostResolver.cpp
index b3215212764f..42e2ad384778 100644
--- a/netwerk/dns/nsHostResolver.cpp
+++ b/netwerk/dns/nsHostResolver.cpp
@@ -1453,9 +1453,12 @@ nsresult nsHostResolver::NameLookup(nsHostRecord* rec) {
     rv = TrrLookup(rec);
   }
 
+  bool serviceNotReady =
+      !gTRRService || !gTRRService->Enabled(effectiveRequestMode);
+
   if (effectiveRequestMode == nsIRequest::TRR_DISABLED_MODE ||
       (effectiveRequestMode == nsIRequest::TRR_FIRST_MODE &&
-       (rec->flags & RES_DISABLE_TRR) && NS_FAILED(rv))) {
+       (rec->flags & RES_DISABLE_TRR || serviceNotReady) && NS_FAILED(rv))) {
     if (!rec->IsAddrRecord()) {
       return rv;
     }
diff --git a/netwerk/test/unit/test_trr.js b/netwerk/test/unit/test_trr.js
index 2f676f034db1..af789cf28e52 100644
--- a/netwerk/test/unit/test_trr.js
+++ b/netwerk/test/unit/test_trr.js
@@ -1377,3 +1377,26 @@ add_task(async function test_vpnDetection() {
     "changed"
   );
 });
+
+// confirmationNS set without confirmed NS yet
+// checks that we properly fall back to DNS is confirmation is not ready yet
+add_task(async function test_resolve_not_confirmed() {
+  dns.clearCache(true);
+  Services.prefs.setIntPref("network.trr.mode", 2); // TRR-first
+  Services.prefs.clearUserPref("network.trr.useGET");
+  Services.prefs.clearUserPref("network.trr.disable-ECS");
+  Services.prefs.setCharPref(
+    "network.trr.uri",
+    `https://foo.example.com:${h2Port}/doh?responseIP=1::ffff`
+  );
+  Services.prefs.setCharPref(
+    "network.trr.confirmationNS",
+    "confirm.example.com"
+  );
+
+  let [, , inStatus] = await new DNSListener("example.org", undefined, false);
+  Assert.ok(
+    Components.isSuccessCode(inStatus),
+    `${inStatus} should be a success code`
+  );
+});