I made good progress today. I have succeeded to create TAP00 and to assign two addresses to it. I will post my solution when I am done. In the mean time, I will try to explain better what I have in mind.
If I were to use actual hardware (Ethernet interfaces and servers) for everything, I would need: an ETH00 to the Internet, an ETH01 to a 10.x.x.x/255.255.255.240 (with NATing) private subnet for my server, and an ETH02 to a 10.y.y.y/255.255.255.0 (no NATing) private subnet with two DNS servers. I would have to set up the DNS servers as well as my server. ZeroShell already includes a DNS server, which it binds to every Ethernet interface it finds. So, if I create a virtual Ethernet interface within ZeroShell, I can assign two IP addresses to it, and ZeroShell will automatically bind DNS servers to them.
I think I have accomplished this much already. (The TAP00 virtual Ethernet interface is done; I have to verify that DNS is bound to the IP addresses assigned to it.) I have to make the route now between ETH01 and TAP00. I will work this out tomorrow.