All roads lead to . [0], ie. IANA. Many IANA-approved entities run them[1], but they all only resolve TLDs ICANN authorizes (and those TLD operators control what domains are registered under their TLD, of course).
Well on a technical level there are root servers. But DNS is a hierarchy and so if the root servers ever tried to pull a fast one there are second-in-command authorities that could take over: the cctld orgs. People would rather follow their lead than ICANN, so they have the real power. I'm pretty sure this is by design.
0: https://dns.google/query?name=.&rr_type=NS&ecs=
1: https://www.iana.org/domains/root/servers