DNSSEC is the actual solution, providing authenticity and integrity for DNS records. The DNS client can verify that the received DNS response is what the zone admin intended. Additional records (NSEC / NSEC3) are used to provide a proof of non-existence, preventing suppression from a mitm attacker. But if your government is mitming you, you don't want them to see you use DNSSEC. DoH is useful in that case, because a mitm sees only https traffic, which is less suspicious than DoT.
crote|11 months ago