The problem is not that a server goes down completely. but when the servers can not communicate with each other. Both can be master.
If I add discovery.zen.ping_timeout to 60s, the chance of Split Brain will be very low. If they can't communicate for more than 60 seconds, probably one has completely gone down.