I think it’s not necessary to open the services to the public:
Note that, in this configuration, anyone on the Internet can access the API of your acme-dns instance. If the other hosts that might be using it are on your LAN, you might want to change the access property above to just green rather than red,green.
Source:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns#conclusion
BTW, NethServer now supports DNS challenge with certbot, see documentation and Let's Encrypt DNS challenge.