My understanding of DNS is that you want to look up somesite.corp.com, your computer first goes to its configured resolver. Resolver returns what it knows about the domain you wanted.

If that information includes an NS record, it has to make another query to the server mentioned in that record to actually retrieve the information (since, say, 8.8.8.8 doesn't have their own records for the stuff somedomain.corp is authoritative for)

Is this incorrect?

Almost. It's the resolver making the query, not your client, and the resolver won't accept the bad records.

---

Your client application uses your host's DNS resolver library to query a DNS resolver for DNS records. It will only ask the configured resolver for records, and only receive them from the same configured resolver. So all records must go through your resolver. ('DNS resolver' = '8.8.8.8')

The resolver will do all the heavy lifting with external servers to find your records. Think of it as the 'gateway': if you are inside a network with no internet access, but you still want to resolve records (say, on a captive portal wifi network), some server needs to straddle your network and the internet to talk to internet-side DNS servers. The resolver does that work so your client doesn't have to, and can be on multiple networks, etc. (On a wifi network your resolver will probably be '192.168.1.1' or some other internal router/server)

So basically, your client [and its resolver library] will never ever talk to someone else's DNS server directly. So it won't talk to an 'evil' DNS server either. It will only talk to your 'good' resolver ("8.8.8.8"). And your 'good' resolver is checking to make sure the responses are valid, and truncating or dropping bad responses so you don't get them.

So no, you cannot just set up an evil DNS server and own random hosts. You need to be the resolver. But your IP probably isn't 8.8.8.8, so you will probably not be able to own random targets.