Refactor and enhance DNS resolution tool with new features

- Introduced wildcard DNS detection, exiting early unless overridden with `-force`.
- Implemented wordlist deduplication, reporting duplicates removed during loading.
- Replaced `-retries` flag with `-attempts` for clarity, maintaining backward compatibility with a warning.
- Refactored code into `internal/dns`, `internal/output`, and `internal/wordlist` packages for better organization.
- Updated output handling to direct results to stdout and diagnostics to stderr, improving pipe compatibility.
- Bumped version to 0.4.0 and documented changes in CHANGELOG.md.

Author: TMHSDigital

README.md

@@ -12,7 +12,7 @@
 [![CodeQL](https://img.shields.io/github/actions/workflow/status/TMHSDigital/subenum/codeql.yml?label=CodeQL&style=for-the-badge)](https://github.com/TMHSDigital/subenum/actions/workflows/codeql.yml)
 [![Release](https://img.shields.io/github/v/release/TMHSDigital/subenum?style=for-the-badge)](https://github.com/TMHSDigital/subenum/releases)
 
-`Concurrent Workers` · `Context-Aware Cancellation` · `Retry with Backoff` · `Simulation Mode` · `Zero Dependencies`
+`Concurrent Workers` · `Context-Aware Cancellation` · `Retry with Backoff` · `Wildcard Detection` · `Simulation Mode` · `Zero Dependencies`
 
 [Quick Start](#-installation) | [Documentation](./docs) | [Architecture](#-system-architecture) | [Changelog](./logs/CHANGELOG.md)
 
@@ -30,10 +30,12 @@
 | :--- | :--- |
 | Worker Pool | Spawn N goroutines for parallel DNS resolution with configurable concurrency ceiling. |
 | DNS Engine | Resolve subdomains against any custom DNS server with per-query timeouts and exponential-backoff retries. |
+| Wildcard Detection | Double-probe random subdomain check before scanning; exits early unless `-force` is set. |
 | Graceful Shutdown | Trap SIGINT/SIGTERM, drain in-flight workers, flush partial results to disk. |
 | Input Validation | Enforce RFC-compliant domain syntax and strict IP:port format for DNS server arguments. |
+| Wordlist Dedup | Automatically remove duplicate entries from the wordlist before scanning. |
 | Simulation Mode | Generate synthetic DNS results at a configurable hit rate without network I/O. |
-| Output Pipeline | Stream results to stdout and optionally to a buffered output file simultaneously. |
+| Output Pipeline | Stream resolved domains to stdout (pipe-friendly); progress and diagnostics go to stderr. |
 | Progress Reporting | Live terminal progress with atomic counters, updated on a 2-second ticker. |
 
 <br>
@@ -47,10 +49,15 @@
 ```mermaid
 flowchart LR
     subgraph Input
-        A[Wordlist File] -->|line-by-line| B(Sanitize + Channel)
+        A[Wordlist File] -->|"dedup + load"| B(Entry Slice)
         C[CLI Flags] --> D(Argument Parser)
     end
 
+    subgraph PreScan
+        D --> W{Wildcard\nDetection}
+        W -->|"no wildcard / --force"| E
+    end
+
     subgraph Engine
         B --> E{Worker Pool\nN Goroutines}
         E -->|subdomain.domain| F[DNS Resolver]
@@ -59,10 +66,10 @@ flowchart LR
         G -->|timeout| F
     end
 
-    subgraph Output
-        F -->|resolved| H[stdout]
+    subgraph OutputLayer ["Output"]
+        F -->|resolved| H["stdout (results only)"]
         F -->|resolved| I[Output File]
-        E -->|atomic counters| J[Progress Reporter]
+        E -->|atomic counters| J["stderr (progress)"]
     end
 
     K[SIGINT / SIGTERM] -->|cancel| G
@@ -77,6 +84,9 @@ flowchart LR
 > [!IMPORTANT]
 > **Authorized use only.** Only scan domains you own or have explicit written permission to test. Unauthorized scanning may violate applicable laws. Users are solely responsible for compliance.
 
+> [!NOTE]
+> **Wildcard DNS detection.** Before scanning, subenum resolves two random subdomains to check for wildcard DNS. If the domain uses wildcard records, the tool exits with a warning (all subdomains would resolve, making results meaningless). Pass `-force` to override and scan anyway.
+
 > [!CAUTION]
 > **Simulation mode** (`-simulate`) generates synthetic results and performs zero network I/O. Do not confuse simulated output with real DNS data.
 
@@ -122,13 +132,15 @@ make help         # list all targets
 | `-t <n>` | `100` | Concurrent worker goroutines |
 | `-timeout <ms>` | `1000` | Per-query DNS timeout in milliseconds |
 | `-dns-server <ip:port>` | `8.8.8.8:53` | DNS server address (validated on startup) |
-| `-retries <n>` | `1` | Retry attempts per subdomain on failure |
+| `-attempts <n>` | `1` | Total DNS resolution attempts per subdomain (1 = no retry) |
+| `-force` | `false` | Continue scanning even if wildcard DNS is detected |
 | `-o <file>` | -- | Write results to file in addition to stdout |
-| `-v` | `false` | Verbose output: IPs, timings, per-query status |
-| `-progress` | `true` | Live progress line (disable with `-progress=false`) |
+| `-v` | `false` | Verbose output: IPs, timings, per-query status (written to stderr) |
+| `-progress` | `true` | Live progress line on stderr (disable with `-progress=false`) |
 | `-simulate` | `false` | Simulation mode: no real DNS queries |
 | `-hit-rate <n>` | `15` | Simulated resolution rate, percent (1-100) |
 | `-version` | -- | Print version and exit |
+| `-retries <n>` | -- | **Deprecated:** alias for `-attempts`, prints a warning |
 
 <br>
 
@@ -157,13 +169,19 @@ subenum -w <wordlist> [flags] <domain>
 **Resilient scan for flaky networks:**
 
 ```bash
-./subenum -w wordlist.txt -retries 3 -timeout 2000 example.com
+./subenum -w wordlist.txt -attempts 3 -timeout 2000 example.com
+```
+
+**Pipe-friendly output (progress goes to stderr, only results on stdout):**
+
+```bash
+./subenum -w wordlist.txt example.com | cut -d' ' -f2 | your-takeover-scanner
 ```
 
-**Pipe-friendly output:**
+**Force scan on wildcard domain:**
 
 ```bash
-./subenum -w wordlist.txt -progress=false example.com | cut -d' ' -f2 | your-takeover-scanner
+./subenum -w wordlist.txt -force example.com
 ```
 
 **Simulation (zero network I/O):**
@@ -212,12 +230,24 @@ subenum/
 │   ├── advanced_usage.md       # Scripting and integration patterns
 │   ├── demo.sh                 # Quick demo script
 │   └── multi_domain_scan.sh    # Batch scanning example
+├── internal/
+│   ├── dns/
+│   │   ├── resolver.go         # ResolveDomain, ResolveDomainWithRetry, CheckWildcard
+│   │   ├── resolver_test.go    # DNS resolution and wildcard detection tests
+│   │   ├── simulate.go         # SimulateResolution (synthetic DNS)
+│   │   └── simulate_test.go    # Simulation logic tests
+│   ├── output/
+│   │   ├── writer.go           # Thread-safe output (results→stdout, rest→stderr)
+│   │   └── writer_test.go      # Output writer tests
+│   └── wordlist/
+│       ├── reader.go           # LoadWordlist (dedup + sanitize)
+│       └── reader_test.go      # Wordlist loading and dedup tests
 ├── logs/
 │   └── CHANGELOG.md            # Versioned release history
 ├── tools/
 │   └── wordlist-gen.go         # Custom wordlist generator utility
-├── main.go                     # Entry point: CLI, worker pool, DNS engine
-├── main_test.go                # Test suite: resolution, validation, I/O
+├── main.go                     # CLI entry point: flag parsing, wiring
+├── main_test.go                # CLI-level tests: validation, flag logic
 ├── go.mod                      # Go module (zero external dependencies)
 ├── Dockerfile                  # Multi-stage Alpine build
 ├── docker-compose.yml          # Compose orchestration