Yes.
You need to use the DNS-01 authentication challenge for this. Instead of answering a secret challenge via a web request with the HTTP-01 challenge, you will use the public DNS records to handle this.
The best practice for this is to use a CNAME record to delegate the _acme-challenge record to a secondary DNS system that only handles DNS-01 challenges. There is an open source project acme-dns that can be used to securely manage these DNS records.