Those ports are needed for the ACME HTTP and TLS-ALPN challenges (80 and 443 respectively), not for the DNS challenge.
The DNS challenge is special, it works by having the ACME CA do a DNS query to look for a TXT type record on your DNS zone, and requires building Caddy with the DNS plugin for your appropriate DNS provider.
The benefit of the DNS challenge is that it allows you to get wildcard certs (if you need it, most people don’t), and it allows you to get certificates even when ports 80/443 are not accessible (i.e. your ISP blocks those ports, or you’re not able to get a public static IP to reach your server).
There’s no inherent security concerns in keeping ports 80/443 open, though. It’s Caddy’s job to handle incoming connections on those ports. You can read this article to get a better idea of how it looks for home networking:
The other benefit of exclusively using ports 80/443 for your webserver needs, is that browsers default to those ports (for HTTP and HTTPS respectively, Caddy will always just redirect HTTP requests back to the HTTPS port). If you use non-standard ports like 8080 then you have to actually type that port number in your browser’s address bar. Annoying.