Fortunately, secure DNS servers plus DNSSEC were designed to prevent bad actors from altering DNS results in-stream. This is good because now the ultimate bad actor wants to do it.
The more the Empire tightens its grip, the more star systems slip through its fingers.
Right, there are ways around it, but if they stop the unwashed masses, then they consider it a success.
I take it back there is one way:
Mandate a compromised IP stack + backdoored CPU ( vpro, for example ) on every machine that connects to the network.
I remember in the old days of dial-up how some companies had their own custom IP stack + software to be able to connect to their service. Sure, it was not nefarious at the time as it was still the early days, but i was thinking "this could be really bad if used the wrong way"
A few others did too, the 'local' one i used for a while ( i forget the name now, its been too long ) also did it.
I do realize its long ago not everyone did it, etc. bla bla. Just pointing out that they could do it, again.