The point here is that if you use someone else’s dns, they can redirect any domain to their server and sign the cert too since they also control the traffic.
You can’t serve a valid certificate chain to the client even if you control their traffic, because your malicious certificate isn’t signed by a trusted CA. And you can’t get a CA signature without demonstrating control of the domain to a CA.