You need only a device on network to spam DHCP messages with malware DNS. So you don't need "shady hotspot", only compromised device within network.