Similarly, open resolvers, e.g., "public DNS service" from Google, Cloudflare, Cisco (OpenDNS), Quad9, etc. or DNS provided by an ISP. A remote DNS cache is, IMO, a "MiTM". It can censor among other things. Quad9, for example, is doing this right now.
Even so-called "encrypted DNS" such as DNSCrypt or more recently DoH only applies to the path between the client and the cache, not the cache and the authoritative server. In the same way that the path between a client and Cloudflare and the path between Cloudflare and the origin server are separated by CF as a "MiTM".
NB. It's possible to exclude the remote DNS cache and have encrypted DNS between client and authoritative server, the software exists, even for DNSCrypt, but it never caught on. I have often thought about starting a registry that requires registrants to offer encrypted authoritative DNS.
Even so-called "encrypted DNS" such as DNSCrypt or more recently DoH only applies to the path between the client and the cache, not the cache and the authoritative server. In the same way that the path between a client and Cloudflare and the path between Cloudflare and the origin server are separated by CF as a "MiTM".
NB. It's possible to exclude the remote DNS cache and have encrypted DNS between client and authoritative server, the software exists, even for DNSCrypt, but it never caught on. I have often thought about starting a registry that requires registrants to offer encrypted authoritative DNS.