It isn't required for the host to be actually up to get a certificate for it: the dns-01 challenge could be used from any host on the internet.
If you're afraid that someone is issuing certs without your consent (e.g. leaked Route53 credentials) you can use CAA to "lock" issuance to e.g. just the http-01 challenge or perhaps even to a single account. See Enabling ACME CAA Account and Method Binding for more info.