How does DNS-01 validation for LetsEncrypt know what the right IP address is?

For my personal use, I bought a domain for internal ssl validation for my pfsense. I was able to get the LetsEncrypt’s ACME script to successfully validate my domain and produce an ssl certificate for a subdomain. I setup my pfsense to use my new certificate and alternative host name successfully.

So far, everything was going according to my expectations. Since I am using a windows server to run my DNS server (was forced to), I expected to setup a route on the DNS server to point to my pfsense’s IP. To my surprise, before making any further changes, when I tested my new subdomain, everything was working. I confirmed pfsense wasn’t running a DNS server and my computer’s network’s DNS was set to my Windows DNS server.

How is it possible that by navigating to my new subdomain that it correctly links with my pfsense’s ip? Would this be true for all certificates I create via LetsEncrypt’s ACME scripts?