You can set up your own caching internal DNS server for your own machines that looks to the root DNS servers for all the top level domains, validating all the returned queries with DNSSEC.
"unbound" for example lets you do that.
If I would be a really bad ISP playing games with DNS I'd also forward all DNS traffic for 8.8.8.8 to my resolvers