I have been researching connection validation options on several web server technologies.
Basic idea behind connection validation is to ensure the connection held by the pool is still valid - to say, the connection is still actively connected to the database. Many times what may happen in a pool situation is - pool believes connection is active, but the database server may have dropped the connection. Sometimes devices between the web app (say, router or firewall) can also drop the connection and the pool may not know about it. Sometimes when the application uses the connection it may have errored out and the application may have returned the connection in a bad state to the pool causing problems later when some part of the application uses that connection from the pool. Therefore it is necessary to test the validity of connections in the pool. It can be done at different times:
Apart from that it is also a good practice to test idle connections in the pool periodically so that pool does not continue to hold bad connections.
A good connection pool will provide you all of the above ways of testing the connections.
Now the question of how to test the connection. You can do anything to ensure the connection is still connected to the database. Typically it means running a query. Query need not hit any real table or any other object in the database. For example in case of oracle it may be selecting something from dual:
SELECT SYSDATE FROM DUAL;
In case of postgresql it can be:
Any query that hits the database and gets something from the database is good enough. Avoid hitting a real table or something like that to keep the connection testing overhead minimum.
About bonus question: Server administrators want to have control on the pool for various reasons (for example - to restrict number of connections an application can consume). Therefore pool configuration has to decide how many connections to acquire, how many to drop from the pool and when to do that. Therefore application should not be allowed to fiddle with the pool. Application should only use the pool but not tamper the pool.