Why do Ubuntu Servers connect to likho.canonical.com:80?

I believe in teaching people to fish so why don't you visit http://likho.canonical.com/? Port 80 is habitually web traffic so that's why I'm suggesting opening it in your browser.

You'll quickly see that likho.canonical.com is a repository. It's probably just a load-balancing thing (a round-robin A record to be precise) for the archive.ubuntu.com address. The domain you're seeing it the reverse IP lookup.

Therefore a connection from your server is probably a reflection of your server updating its local package records, and/or subsequently downloading updates.

How do we confirm likho.canonical.com is legitimate?

Well first let's prove that likho.canonical.com can be resolved from archive.ubuntu.com. Here's the trimmed dig archive.ubuntu.com output:

;; ANSWER SECTION:
archive.ubuntu.com. 149 IN  A   91.189.92.176
archive.ubuntu.com. 149 IN  A   91.189.92.177
archive.ubuntu.com. 149 IN  A   91.189.92.200
archive.ubuntu.com. 149 IN  A   91.189.92.201
archive.ubuntu.com. 149 IN  A   91.189.92.202
archive.ubuntu.com. 149 IN  A   91.189.91.13
archive.ubuntu.com. 149 IN  A   91.189.91.14
archive.ubuntu.com. 149 IN  A   91.189.91.15   <- This is likho.canonical.com
archive.ubuntu.com. 149 IN  A   91.189.92.156

And here are the lookups in both directions proving that 91.189.91.15 also resolves as likho.canonical.com (and vice versa):

$ host 91.189.91.15
15.91.189.91.in-addr.arpa domain name pointer likho.canonical.com.

$ dig likho.canonical.com +short
91.189.91.15

If you want further proof, you could do some TCPdumping to sniff out the traffic but I think that's crossing into an unneccessary high level of paranoia. If you can't trust your repos, you need to cut the Ethernet cable.

More fun with DNS and friends

If you want to play around, you can get the rest of the names of their servers that archive.ubuntu.com resolves to:

$ dig archive.ubuntu.com +short | xargs -I% host %
15.91.189.91.in-addr.arpa domain name pointer likho.canonical.com.
156.92.189.91.in-addr.arpa domain name pointer danava.canonical.com.
176.92.189.91.in-addr.arpa domain name pointer cursa.canonical.com.
177.92.189.91.in-addr.arpa domain name pointer zaurac.canonical.com.
200.92.189.91.in-addr.arpa domain name pointer obake.canonical.com.
201.92.189.91.in-addr.arpa domain name pointer urayuli.canonical.com.
202.92.189.91.in-addr.arpa domain name pointer sudice.canonical.com.
13.91.189.91.in-addr.arpa domain name pointer ragana.canonical.com.
14.91.189.91.in-addr.arpa domain name pointer orobas.canonical.com.

See which has the lowest latency for you:

$ dig archive.ubuntu.com +short | xargs -I% ping -c1 % | awk '/time=/ {split($7, array, "="); print $4 "\t" array[2] "ms"}' | sort -n -r -t$'\t' -k 1
91.189.92.202:  19.8ms
91.189.92.201:  19.8ms
91.189.92.200:  19.4ms
91.189.92.177:  20.5ms
91.189.92.176:  19.6ms
91.189.92.156:  20.2ms
91.189.91.15:   97.4ms
91.189.91.14:   95.9ms
91.189.91.13:   96.4ms

And here's how you triangulate somebody's location to within three feet just using their latencies from known locations... Okay... Maybe not. It's probably possible to within a 50 miles (if you know the server locations and network links) but you'd need to know a lot more information than I certainly have.