As an admin that has a split DNS infrastructure for my AD domain(both internal and external domains are .com), you are absolutely correct in that a split DNS infrastructure is the best way to attack your problem. I have one for my overall systems (with those DNS servers hosted on AD boxes, with an ISA 2006 firewall), and it works perfectly. User’s computers work the same internally or externally.
However, when you put the virtualmin system into the mix (since it is really independent of my other DNS servers) you have a problem that I haven’t easily solved yet.
Strictly speaking, virtualmin does not support split DNS, mainly because on a single box, it would require two copies of BIND running, bound to different internal IP addresses. One copy would be routed to via your NAT box to respond to external requests. The other would be the DNS server that your internal boxes use to not only resolve virtualmin addresses, but also recursively serve all other DNS requests as well. This gets tricky fast, and I recommend reading about split DNS over at isaserver.org for all the gory details.
The other folks are also right in that some NAT devices won’t cause this problem. However, that’s beyond my scope…
But you came looking for answers, so here’s a simple one.
If you have another (non virtualmin) DNS server on your local network (like an AD server) that all of your client machines go to for internet DNS (internal client DNS server ip is 192.168.???.??? for example), and that DNS server does recursive lookups for zones it doesn’t serve, then you can manually bandaid the problem.
On that DNS server, manually create each website zone you want the internal clients to go to. For example, if your AD zone is myad.com you already have a zone for that. But lets say you are hosting mywebsite.com. You need to create a primary zone on your internal (only) DNS server that serves that. The manually enter the records like www.mywebsite.com and point that record to 192.168.1.???. Now, internal users will get that address from the myad.com DNS server, because they go there FIRST, before your ISP’s DNS servers to get ip addresses. External users get forwarded directly to your virtualmin DNS server and get the “real” ip address from them. External uses do not ever get the private ip, because the myad.com DNS server is not serving DNS requests to the public web.
That is the essence of split DNS, and it is completely legal and highly recommended.
I wish there was a process to automate this under virtualmin, and I am bugging the guys about it, since it is really a pretty common scenario, and will only get more so as virtual servers continue to increase in popularity.
Good Luck, and check out isaserver.org for all the real-deal on split DNS.