I don’t think there’s a comprehensive industry-standard response to this problem. You can use CAA, but that also goes via the DNS so the attacker can remove the policy.
It’s possible that Let’s Encrypt or another part of the DV industry could invent some parallel mechanism to CAA that’s more durable or out-of-band, but this hasn’t happened yet.
For Let’s Encrypt in particular, if you get a cert from us or someone else at the outset and start using it, we won’t issue an additional cert while we know that one is valid and in use unless you can show cryptographically that you control that cert or the Let’s Encrypt account that requested it. That policy doesn’t necessarily apply to other DV CAs’ issuance.
The big challenge is that for DV, the DNS records are basically considered the ground truth about the meaning of names.