Comment by gerdesj

I know exactly (within reason) how TLS works. However that enforceable guarantee may not be in the end user's best interests.

Your browser could require via TLS certain CA only signed responses and even covertly do that and flatly refuse to use the system configured DNS and fib and lie. At least DNS over UDP/TCP can be easily manipulated locally through a packet filter and via NAT n that and it can be inspected by the end user easily.

No, I am not suggesting you break any security model - a MitM run by yourself is yours and yours alone. If you consider your browser might be hostile <tin foil crackling sound effect here> then you really have to look quite deeply into what security model you are dealing with and how it really works.

Proxies and so on are just tools for a job as are DNS servers (I have one just for my customer's Let's Encrypt challenges) and all the rest.

I like to forget the usual trite networking bollocks and think quite clearly about how it all really hangs together. I start with what I would like to be the source of "truth" with regards the thing I type into the browser and the IP address that is returned and connected to.