In case you haven't seen it yet, below is an excellent article about LE's multi-perspective validation.
It sounds like your problem is related more to your rate limit but IP based firewalls on DNS could be contributors.
As of now, and as the above article explains, LE checks from 5 locations of which 4 must succeed. The number and quorum can change at any time so should not be designed around.
But, if one of those 5 locations is blocked by, say, an IP firewall that leaves no room for error from the other 4.
The primary center must succeed first. Then the secondaries are dispatched at the same time. This is when you'll see the larger burst of queries to your system.