My main production systems have a pre/post hook that opens the firewall for an iptables ruleset on port-53 and starts an acme-dns server; then shuts it all down. This lets us run dns-01 challenges for wildcard certs, with traffic open for only very very very small amounts of time. running this in a ruleset that is early-on also lets us run fail2ban, and aggressively ban network blocks.
4 Likes