An more practical solution would be if LE require 5 captchas to be solved to add an additional host to get an certificate. So my proposal would be:
10 certificate per 90 days per “real” domain.
For each additional certificate (bound to an selected FQDN) per 90 days you are required to solve 5 captcha.
a) This does not take much resources on LE side.
b) Effective limit the problem with accidental requested certificates
c) Is no to big burden for freedns users.
d) Works independent of the public suffix list