I think query #2 probably is PAM, as suggested earlier.
Here is some tcpdump chatter (on the server side) while I logged in via ssh to a FreeBSD 6.4. server:
Immediately following initial sshd handshake
Code:
# tcpdump dst port 53
14:16:14.640019 IP ernie.some.place.net.59808 > ns2.place.net.domain: 23651+ PTR? 159.68.10.10.in-addr.arpa. (43)
(output truncated for readability)
Immediately following successful authentication
Code:
# tcpdump dst port 53
14:16:32.163573 IP ernie.some.place.net.59567 > ns2.place.net.domain: 23653+ A? dhcp-10-10-68-159.fin.place.net. (50)
(output truncated for readability)
Notice that the first is a reverse lookup, and the second is a forward lookup. Hmm. Now look at this in the /var/log/auth.log file:
Code:
May 20 14:16:32 ernie sshd[15384]: Accepted keyboard-interactive/pam for mrbig from 10.10.68.159 port 60784 ssh2
See the matching timestamp? Also see how it shows an IP instead of a hostname? (Failed authentication attempts neither perform a forward lookup, nor log an IP address, BTW.)
Again, PAM seems likely to be the cause of lookup #2.