Backport of docs: add a note for DNS resolver recommendations into release/1.18.x (#21256)

* backport of commit deb3371f28

* backport of commit 28315fda69

* backport of commit 995e9a8e25

* backport of commit d27b6b6711

---------

Co-authored-by: dduzgun-security <deniz.duzgun@hashicorp.com>
Co-authored-by: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com>

website/content/docs/services/discovery/dns-configuration.mdx

@@ -33,6 +33,8 @@ You can specify a list of addresses in the agent's [`recursors`](/consul/docs/ag
 
 Nodes that query records outside the `consul.` domain resolve to an upstream DNS. You can specify IP addresses or use `go-sockaddr` templates. Consul resolves IP addresses in the specified order and ignores duplicates.
 
+We recommend that you configure DNS resolvers to point the `consul.` domain towards your Consul DNS servers. Misconfigurations may cause other DNS infrastructure to route queries for the `consul.` domain outside of your network instead, leaking DNS queries to root DNS servers. Refer to [Forward DNS for Consul Service Discovery](/consul/tutorials/networking/dns-forwarding) for instructions.
+
 ### Enable non-Consul queries
 You enable non-Consul queries to be resolved by setting Consul as the DNS server for a node and providing a [`recursors`](/consul/docs/agent/config/config-files#recursors) configuration.
 
@@ -66,4 +68,4 @@ Responses to pointer record (PTR) queries, such as `<ip>.in-addr.arpa.`, always
 
 ### Caching
 
-By default, DNS results served by Consul are not cached. Refer to [DNS caching](/consul/docs/services/discovery/dns-cache) for instructions on how to enable caching.
+By default, DNS results served by Consul are not cached. Refer to [DNS caching](/consul/docs/services/discovery/dns-cache) for instructions on how to enable caching.