Let's Encrypt must perform at least two kinds of checks during validation:
- Checking domain control, via the HTTP-01, TLS-ALPN-01, or DNS-01 method, all of which require us to perform a DNS lookup; and
- Checking CAA, which also requires at least one DNS lookup.
In addition, we perform these checks from multiple locations around the world, to help prevent BGP hijacking attacks.
Finally, we are required to operate our own recursive resolvers, and cannot rely on public cacheing recursive resolvers such as 8.8.8.8.
Putting all of this together -- doing both kinds of checks, from multiple locations, directly -- means that we usually have to make 8+ DNS queries to your authoritative name servers.
You can read more about these here: