Yes and no. Yes, if the attacker controls the DNS, he can return his own server's IP, and your browser will connect to the attacker's server showing the original name in the url bar. Fortunately TLS should save you because the attacker should not have a valid certificate (but it would save you also with OTP). If you disregard the TLS/HTTPS warning, then Webauthn breaks.