Pass unmatched queries on configured domain to recursive server.

[tcdent]

Description

I'm using a real TLD as my configured domain, but the DNS server intercepts all requests.

This allows names which don't match those registered by consul to be handled by the recursive server.

Caveat is that it could leak internal domain names if they are not in the pool and the upstream server is untrusted. Possible to add a configuration flag to enable/disable this feature if desired.

Testing & Reproduction steps

• Configure consul with a real domain name.
• Make a request to a real record on the recursive server at that domain.

PR Checklist

• [ ] updated test coverage
• [ ] external facing docs updated
• [ ] appropriate backport labels added
• [ ] not a security concern

[hashicorp-cla-app[bot]]

All committers have signed the CLA.

[hashicorp-cla-app[bot]]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

_{Have you signed the CLA already but the status is still pending? Recheck it.}