Kinda close; you can use something like acme-dns that your main zone does a CNAME to, so that the TXT record gets changed in a special-purpose DNS server, and you don't need to update your main DNS zone.
But even that won't help you if you're blocking port 53 DNS traffic. You need to validate that you control the domain as seen from everywhere on the Internet, and so that requires responding to a challenge of some kind (whether DNS or HTTP) from places around the Internet.
This FAQ might help explain some things:
There are plenty of free certificate providers besides Let's Encrypt, and plenty of paid providers, and many of them support automation with your system, whether through ACME or otherwise. But all of them require you proving control over the domain (either automatically or manually), and will soon all be checking from multiple places around the world (even though many are only checking from one place for now).