I must correct myself; The DNS challenge is indeed being discouraged in the future, but it is because the DNS-01 challenge is being replaced by the DNS-PERSIST-01 challenge which addresses deficiencies in DNS-01.

The trust and security issues associated with maintaining intranet resources vs. outsourcing to a dedicated professional cloud service provider remain, but are not related to whether any SSL certificates used are issued through DNS-based verification or not.