You may also find this post helpful, describing how Let's Encrypt validates that you control your domain name from many places around the world.
If you can't open your port 80 to everyone (even in a scripted way only while requesting validation), but you can have your authoritative DNS server open to everyone, then the DNS-01 challenge is probably the way to go.