Picking which recursive resolvers to query is not as obvious as "the biggest ones". The point of probing twelve is to sample a population that covers different geographies, different operators with different cache eviction strategies, and a mix of filtering policies. Here is the actual list, in the order they appear in the probe matrix, and why each one earned a seat.
Cloudflare — 1.1.1.1 and 1.0.0.1
The most-queried public resolver on the planet. Cloudflare runs an anycast footprint in 300+ cities, supports DoH/DoT natively, and was the first major resolver to commit to not selling query data. We probe both addresses because they are physically separate networks and occasionally diverge during incidents — useful signal you don't get from a single endpoint.
Google — 8.8.8.8 and 8.8.4.4
Operationally the most mature of the bunch. Google Public DNS pioneered EDNS client subnet (ECS) at scale, which lets authoritative CDN servers return a region-correct answer based on the client's network prefix. That means a Google-resolved answer for a Cloudflare- or Fastly-fronted hostname can legitimately differ from a 1.1.1.1 answer for the same name, depending on where the query terminates.
Quad9 — 9.9.9.9
Operated by a Swiss-based non-profit (in collaboration with IBM and PCH). The 9.9.9.9 endpoint blocks known-malicious domains from a curated threat intel feed — useful as a sanity check for "would a Quad9 user see my domain?" If your domain ever lands on a threat list, this is one of the first resolvers that will silently NXDOMAIN you.
OpenDNS — 208.67.222.222
Now part of Cisco. OpenDNS will return a sentinel address for blocked categories rather than NXDOMAIN, which makes failure modes more visible. Their network is one of the oldest large recursive deployments still in operation.
DNS.Watch — 84.200.69.80
Small German-operated resolver with a strict no-logging stance. Useful because its cache is smaller than the giants and tends to refill faster — propagation often shows up here first.
Yandex — 77.88.8.8
Operationally important if any portion of your audience is in Russia, the CIS, or anywhere a Yandex Browser is the default. Yandex's cache routinely diverges from the Western majors during regional connectivity events.
Comodo — 8.26.56.26
Aggressive malware filtering. Useful as a second opinion to Quad9 — if both Quad9 and Comodo return NXDOMAIN for your A record but the other ten return the right IP, something has flagged your domain on a feed.
Verisign — 64.6.64.6
Run by the operator of the .com and .net TLDs. Conservative caching, no filtering. A good baseline reference.
Hurricane Electric — 74.82.42.42
HE is best known for its IPv6 tunnel broker, and its DNS infra is similarly pragmatic. Their public resolver has an over-represented presence at network exchange points — useful as a fast-path measurement for AS-level reachability.
AdGuard — 94.140.14.14
Filters ads, trackers and known-bad domains at the DNS layer. If your hostname is on an AdGuard filter list (some marketing subdomains are), it will NXDOMAIN. Treat AdGuard agreement as "consumers running ad-blocking DNS see it too".
Why exactly twelve
Two reasons. First, twelve gives you statistical room to call a verdict — eleven agreeing and one disagreeing is "partial propagation, investigate", whereas with three resolvers you can't distinguish that from noise. Second, twelve fits in a single horizontal table on a normal viewport without an inner scroll, which matters for the UX of the dnscheck results page. See for yourself: wikipedia.org.
What we deliberately exclude
OpenNIC and other alt-root resolvers, which serve a non-ICANN view of the namespace. ISP-specific resolvers like Comcast's or Telekom's — they are not generally reachable from a third-party probe host. And anything that requires DoH/DoT only, because dig +short @<ip> needs UDP/TCP on port 53 to work uniformly.
Reference: public resolver comparison; RFC 7871 (EDNS Client Subnet).