how can this be done at the dns level? shouldn't ssl certificates prevent third party content from being shown in the browser?

My ISP currently makes them not resolve (with scary sounding domains):

  ; <<>> DiG 9.10.6 <<>> @192.168.1.254 annas-archive.li
  ; (1 server found)
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18716
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 4096
  ;; QUESTION SECTION:
  ;annas-archive.li.  IN A

  ;; ANSWER SECTION:
  annas-archive.li. 845 IN CNAME www.ukispcourtorders.co.uk.
  www.ukispcourtorders.co.uk. 511 IN CNAME ukispblk.vo.llnwd.net.
  ukispblk.vo.llnwd.net. 845 IN CNAME ukispblk.vo.llnwd.net.edgesuite.net.

  ;; Query time: 3 msec
  ;; SERVER: 192.168.1.254#53(192.168.1.254)
  ;; WHEN: Wed Feb 18 12:06:25 GMT 2026
  ;; MSG SIZE  rcvd: 169

Well, you get the warning, but as long as HSTS is not active, you can still click on "Accept the risk and continue" …

[EDIT:] Just checked a bit closer, they are using an LetsEncrypt cert for "cuii.telefonica.de", which is obviously the wrong domain, but as I said above, as long as HSTS is not active for "annas-archive.li", you can still bypass via the button.

It does. The browser won't load the content because it detects your connection was tampered with.

They redirect to a different url.