Certbot, all of the bash and go alternate clients as well as several of the others support the DNS-01 challenge.
At the simplistic level, the client talks to the Let's Encrypt ACME server and obtains a "token" that needs to be placed in a TXT record in your DNS. If your DNS provider has an API then this record can be added automatically, or you can do it manually. Once the TXT record is there, Let's Encrypt verifies this and provides you with a certificate (via the same client).
You will need a new token every time you need to renew for a new certifcate though, hence automation is easier.
Which arguments you need to call depends on which client you are using.