There must be a public dns-entry yourdomain.com -> some entries. So that Letsencrypt can confirm, that you are owner of yourdomain.com
There are actual two simple validations:
You can create a dns entry (type txt) with the name _acme-challenge.yourdomain.com and a special value given from Letsencrypt. Then you don’t need a webserver (dns-01 - challenge).
You have a dns-entry yourdomain.com -> ip-address, there is port 80 open, you put a special file into
so that Letsencrypt can load the file
To do that your port 80 must be open (http-01 - challenge).
The problem with the dns-01 - challenge is, that the renew (every 60 - 80 days) needs an api of your dns-provider. Or you have to do that manual. So if there is a webserver, the http-01 - challenge is simple, certbot can save the file direct.
PS: If you create a certificate, then this is logged with your domain name. Then it can be found using one of the Certificate transpareny logs. So your domain name is public.