Pass unmatched queries on configured domain to recursive server.

[tcdent]

Description

I'm using a real TLD as my configured domain, but the DNS server intercepts all requests.

This allows names which don't match those registered by consul to be handled by the recursive server.

Caveat is that it could leak internal domain names if they are not in the pool and the upstream server is untrusted. Possible to add a configuration flag to enable/disable this feature if desired.

Testing & Reproduction steps

• Configure consul with a real domain name.
• Make a request to a real record on the recursive server at that domain.

PR Checklist

• [ ] updated test coverage
• [ ] external facing docs updated
• [ ] appropriate backport labels added
• [ ] not a security concern