How does that help? You can tell any computer it's Google.com or IP 8.8.8.8. you can tell your device that the other computer is correct, and middle man yourself

Except, we have one key to rule them all, one key to bind them. There's literally a group of people who split the root key among themselves, and scattered it across the world (when they went home). They get together ever year or two, and on a blessed air-gapped computer, unite the key to sign the top level domains again. Those domains sign intermediate domains, and down the chain they sell and sign domains.

If any of these root domains fall to evil, these brave guardians can speed walk to the nearest airport and establish a new order

(I think we actually just started installing all the root and some trusted intermediate domains on every device directly, so I'm not sure if they still bother, but it's a better story)

The solution you're looking for is DNSS, where we encrypt the DNS request too so they can't see any of the url. Granted, they can still look at you destination and usually put the pieces together, but it's still a good idea

Ultimately, packets have to get routed, all we can do is do our best to make sure no one can see enough of the picture to matter. There's more exotic solutions that crank that up to 11, but the trade offs are pretty extreme