Elaborating on what @Osiris said above:
NEVERMIND MY TEXT BELOW; the next comment by @Nummer378 points out the authoritative DNS server would be blocked and unable to serve the CNAME
You can use CNAMEs to delegate DNS-01 acme-challenge records on your authoritative DNS to a secondary DNS system.
The acme-dns system was designed for this (link to source and overview below). You could either install your own acme-dns on another network (a $5 linode or similar would suffice), or you could use a 3rd party commercial vendor.
I prefer to use a self-hosted acme-dns, and toggle firewall rules so that it is only open to the public internet during certificate renewal.
The same concept could apply to port-80 filtering - the only time the acme-challenge directory needs to be open is during a certificate renewal.
If your firewall is linux based, ip-chains and rules work well. I've posted details on that several times here before, click here for the latest details I shared - one week ago. if your firewall is appliance based, there may be an API or scriptable option.
If you use Certbot, there are hooks to register filewall toggling scripts with. If you use other clients, you can just use a simple shell script that wraps invoking your client with firewall actions. I like to use fabric, a python library that is great for scripting automated tasks.