I know the letsencrypt.sh docs discuss the DNS challenge a bit. In general, it involves creating TXT records for the hostname in question with cryptographically-determined contents. To be practical, your DNS provider needs to have an API that will allow record changes to be made by software, but many providers do allow that. I’m sure there are other docs which go into more detail, but I’m not sure off the top of my head where they are.