They're using Little Snitch as an OS-level DNS proxy, which should intercept all DNS requests from any app and encrypt them. But, depending on what API the app uses for its DNS lookups, some DNS requests do not go via the proxy. Presumably Firefox, in its default configuration with DNS encryption set to OFF ("Use your default DNS resolver"), uses one the affected APIs.