For 2...
It uses your authoritative DNS servers directly. (That is, they run their own recursive resolver, rather than delegating to some other company's DNS resolver.) You need to make sure that all of the authoritative servers for your domain name are in sync before having certbot continue with attempting to authorize the name.