I just did to make my own certificate with local domain .corp.anything.country ( ex. corp.yahoo.com )
network topology was [ router connected to internet - internal dns servers - certbot linux box ( with internal dns servers as resolver ) ) ]
I did make an TXT _acme-challenge record on public available dns servers thought that certbot will use A/B/C etc servers to resolve the txt record - but verification didn’t work
so i put an TXT record _acme-challenge on my local internal dns server - and verification works well for an wildcard certificate.
so i can create an TXT record _acme-challenge in my own internal dns server with *.google.com domain and verification will work, or with my banking account - so you have legally certificate for man in the middle
You should change the code to verify records via servers available only on public dns or websites