<i>Is Ubuntu Linux spying on you?</i><p>It has in the past but I would be somewhat surprised if they did not learn from the blow-back unless they have entirely new leadership.<p>One small suggestion, instead of creating a systemd unit file on the host your are monitoring I would suggest doing your captures on your router and also force all DNS through that router <i>using the nat table to capture 53, 853 and blackhole all the commonly used DoH/DoT servers</i>. Despite theories suggested on here in the past none of the common DoH servers use shared CDN IP's. After blocking those IP's then reboot the host to clear application DNS cache.<p>Boot up all the mainstream distributions to see which ones are being chatty. Another one that may be fun to play around with is the latest Fedora beta. <i>No [Spoilers].</i> Have fun with it, don't just use tcpdump. Instead give bogon IP's for some of the names you see being requested after rebooting the VM and watch what breaks then add that to your blog. Some apps may have hard coded IP's to fall back on like Windows has done since at least XP. QubesOS is one good way to try each of them out including their beta versions and release candidates. The testing should be after a clean installation from the ISO and then again after a OS update and reboot otherwise it could be applications you installed creating red herrings. The reason for testing after ISO and then again after OS update is to see if someone changed their minds about telemetry or to see if people are playing cat-and-mouse when people document findings.
I created picosnitch which may be of interest if you also want to see the executable behind each request, this way you wouldn't need to disable NextCloud, Dropbox, Slack, etc (the UI doesn't have negative filtering, yet, but everything is just an entry in a sqlite db).<p>It also gets the hash of each executable, which can be useful if you're running any containers with different versions of the same executable which would otherwise appear to have the same path.