>Does this mean the corporations have to reveal all their internal DNS and sites to the public (or at least the CA) and let them do DV, if they want certs issued for their wholly-internal domains that will be valid in normal browsers?

The blog post has nothing to do with this, because it was already the case with certificate transparency. The solution is to use wildcard certificates. For instance if you don't want secretproject.evil.corp to be visible to everyone, you could get a wildcard certificate for *.evil.corp instead.