For egress DSCP marking, unless there's a special requirement I think it's better to do it on the device that generates the traffic as it would allow you to mark packets for individual processes which is simpler and more reliable than matching IP:port, and also the device is likely to have more resource to do the marking than the router.