Google is way ahead of you, they are a certificate authority now, so in theory they can do this right now. Take a look at any site’s https certificate and a significant portion of them are now signed by Google Trust Services LLC thanks to Cloudflare using them to generate free https certificates (in addition to letsencrypt). Note that they won’t ever pull this trick though because it’ll irreversibly damage their reputation.
But, HTTPS certificates.
Unless they provided overrides for their ads in Chrome, but at that point why do it with DNS.
Google is way ahead of you, they are a certificate authority now, so in theory they can do this right now. Take a look at any site’s https certificate and a significant portion of them are now signed by Google Trust Services LLC thanks to Cloudflare using them to generate free https certificates (in addition to letsencrypt). Note that they won’t ever pull this trick though because it’ll irreversibly damage their reputation.