encrypted_client_hello (0xfe0d)
Please consult RFC 9849: TLS Encrypted Client Hello
or my personal home-page.
TL:DR; Before ECH, people could snoop on the network and see the domains you connected to. Thanks to ECH and DoH should no longer be possible.
You likely saw this domain while checking a packet capture or MITM proxy logs.
Modern browsers support "Encrypted Client Hello". They use it in combination with DoH/DNS-over-HTTPS.
Normally, the domain name is transmitted in plain text, since the server needs to know which certificate to serve.
With ECH, the client now does an extra DNS lookup (Type65/HTTPS RR) and encrypts the "Client Hello" which also contains the server name.
This should now prevent malicious people from snooping on users, while also making it harder to censor websites.
Let's just say, if you landed here out of curiosity from snooping on traffic, it is working sucessfully and you are out of luck.
If you are the network admin, you might be able to prevent this behaviour by using a TLS-MITM proxy (don't!), policy rules or using a canary domain (NXDOMAIN use-application-dns.net).
However, if the user has forced encrypted DNS in their browser, you absolutely are out of luck. You are only able to disrupt their browsing session, neither MITM nor re-routing works.
(Okay, you might be able to MITM their TLS traffic and force a custom CA, but they need to approve that first.)
(Also, note: if you use non-wildcard TLS certificates from well-known CA's, your subdomains will still get "leaked", due to CT logs!)