but when i try this script i face this issue
1462583138.084234 expression error in ././try.zeek, line 5: field value missing (c$dns$query)
The $dns field gets populated by a call to the set_session() hook. If you’re not doing any other DNS processing except what’s in the event in your script, then set_session() hasn’t been called.
BTW, in practice to catch cache poisoning you’ll need to compare the answers to make sure they differ. Unfortunately you’ll occasionally get benign duplicate replies (either due to network tapping issues, or occasionally due to rare network/system effects), probably at a rate a lot more common than seeing actual DNS cache poisoning. So if you don’t compare the replies (which unfortunately can be a pain), you might suffer from significant false positives.